{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `immich-server` image uses the latest tag", "shortDescription": {"text": "Compose service `immich-server` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Prefer Compose secrets or your platform secret manager with *_FILE variables where the image supports them. Rotate only if a real value was committed."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `execute` has cognitive complexity 8 (SonarSource scale). Cognitive comple", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `execute` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all we"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `immich-machine-learning` image is selected through a build variable", "shortDescription": {"text": "Compose service `immich-machine-learning` image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED008", "name": "[MINED008] Swift Force Unwrap (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED008] Swift Force Unwrap (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 22 more): Same pattern found in 22 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order.", "shortDescription": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `immich-app/devtools/.github/workflows/shared-pr-require-conventional-commit.yml` pinned to mutable re", "shortDescription": {"text": "[MINED115] Action `immich-app/devtools/.github/workflows/shared-pr-require-conventional-commit.yml` pinned to mutable ref `@main`: `uses: immich-app/devtools/.github/workflows/shared-pr-require-conventional-commit.yml@main` resolves at work"}, "fullDescription": {"text": "Replace with: `uses: immich-app/devtools/.github/workflows/shared-pr-require-conventional-commit.yml@<40-char-sha>  # main` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `immich-machine-learning` unpinned: `container/services image: immich-machi", "shortDescription": {"text": "[MINED126] Workflow container/services image `immich-machine-learning` unpinned: `container/services image: immich-machine-learning` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with th"}, "fullDescription": {"text": "Replace with `immich-machine-learning@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `dev-container-server (no tag)` not pinned by digest: `FROM dev-container-server (no tag)` re", "shortDescription": {"text": "[MINED118] Dockerfile FROM `dev-container-server (no tag)` not pinned by digest: `FROM dev-container-server (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially"}, "fullDescription": {"text": "Replace with: `FROM dev-container-server (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED112", "name": "[MINED112] FastAPI PATCH immich_ml.models.cache.SimpleMemoryCache.expire has no auth: Handler `test_revalidate_get` is r", "shortDescription": {"text": "[MINED112] FastAPI PATCH immich_ml.models.cache.SimpleMemoryCache.expire has no auth: Handler `test_revalidate_get` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the fun"}, "fullDescription": {"text": "Add Depends(get_current_user) or Security(...) to the handler signature. If the route is truly public, document it with a code comment so the rule knows it's intentional."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self._sess_options` used but never assigned in __init__: Method `sess_options` of class `OrtSession` reads `", "shortDescription": {"text": "[MINED108] `self._sess_options` used but never assigned in __init__: Method `sess_options` of class `OrtSession` reads `self._sess_options`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeErro"}, "fullDescription": {"text": "Initialize `self._sess_options = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_load_raises_if_os_error_and_already_retried: Test function `test_load_raises_if_o", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_load_raises_if_os_error_and_already_retried: Test function `test_load_raises_if_os_error_and_already_retried` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKC009", "name": "Compose service bind-mounts a sensitive host path", "shortDescription": {"text": "Compose service bind-mounts a sensitive host path"}, "fullDescription": {"text": "Mount only the exact file or directory required, prefer read-only mode, and avoid host system paths."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED099", "name": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded dir", "shortDescription": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "fullDescription": {"text": "Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately \u2014 assume it is compromised."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED038", "name": "[MINED038] Swift Try Bang: try! crashes on thrown error. Use try? or do/catch.", "shortDescription": {"text": "[MINED038] Swift Try Bang: try! crashes on thrown error. Use try? or do/catch."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED029", "name": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety.", "shortDescription": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pu", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/765"}, "properties": {"repository": "immich-app/immich", "repoUrl": "https://github.com/immich-app/immich", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 63760, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 63759, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 63753, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 63750, "scanner": "repobility-docker", "fingerprint": "464ea51b523f07797724761de6c6199b5ea8e711d1663b0662f58ec08968a7c7", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "database", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|464ea51b523f07797724761de6c6199b5ea8e711d1663b0662f58ec08968a7c7", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 63749, "scanner": "repobility-docker", "fingerprint": "ce1959e2d4506c1160a43731f597f8652a95bfe6a564a84a7fd22899099ce704", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|ce1959e2d4506c1160a43731f597f8652a95bfe6a564a84a7fd22899099ce704", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 63748, "scanner": "repobility-docker", "fingerprint": "b19a8559c9dd77f1a7691c611e3122d9b36cdd323bd8317fccf4d35166399c23", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "immich-server", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b19a8559c9dd77f1a7691c611e3122d9b36cdd323bd8317fccf4d35166399c23", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 63746, "scanner": "repobility-docker", "fingerprint": "cc439122686c8938a4d804c56aa4d125c6582a653dd3fd7d0a36df5d590f6914", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "immich-server", "variable": "DB_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|cc439122686c8938a4d804c56aa4d125c6582a653dd3fd7d0a36df5d590f6914", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `immich-server` image uses the latest tag"}, "properties": {"repobilityId": 63744, "scanner": "repobility-docker", "fingerprint": "376f6486591c4c8eced3d74f12225027d225bfa0e60d8fcd24335f4af6401094", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "immich-server:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|376f6486591c4c8eced3d74f12225027d225bfa0e60d8fcd24335f4af6401094"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 63740, "scanner": "repobility-docker", "fingerprint": "4d2922def3586173ad01ac55bf5336bce30dff3d1760c184799c4272512a1bd6", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|4d2922def3586173ad01ac55bf5336bce30dff3d1760c184799c4272512a1bd6", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 63738, "scanner": "repobility-docker", "fingerprint": "db11fe34323830ab9de4ee113a154319c70009c3b3c0e06e633464a7e703e6bc", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "immich-server", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|db11fe34323830ab9de4ee113a154319c70009c3b3c0e06e633464a7e703e6bc", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 63728, "scanner": "repobility-docker", "fingerprint": "8dd618340cdb62477d9b18f6e19cbc3956063da4092354c68f9ec44bc5349082", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ghcr.io/immich-app/base-server-prod:202606021219@sha256:6ef9ef5859492149af770a6c884b5e2ddbaeef99f8885ea5f2d9f73625a3d9ec", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8dd618340cdb62477d9b18f6e19cbc3956063da4092354c68f9ec44bc5349082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile"}, "region": {"startLine": 83}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 63727, "scanner": "repobility-docker", "fingerprint": "4116c9015e877b00d523714fadd6e5c706d12faeeaec31279d050780c3555c33", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.1.0-alpine3.20@sha256:8fe019e0d57dbdce5f5c27c0b63d2775cf34b00e3755a7dea969802d7e0c2b25", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4116c9015e877b00d523714fadd6e5c706d12faeeaec31279d050780c3555c33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/e2e-auth-server/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 63726, "scanner": "repobility-docker", "fingerprint": "fe53b6d9566a311ff8d53a961e4929c21f0b71a0566f5e57dcc309111e633317", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.1.0-alpine3.20@sha256:8fe019e0d57dbdce5f5c27c0b63d2775cf34b00e3755a7dea969802d7e0c2b25", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fe53b6d9566a311ff8d53a961e4929c21f0b71a0566f5e57dcc309111e633317"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 63724, "scanner": "repobility-docker", "fingerprint": "0e10929533d207b0d866e4f2a7f1d2b066c6f1b8524a5b9e8c792c7bcf1832bb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "prod-${DEVICE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0e10929533d207b0d866e4f2a7f1d2b066c6f1b8524a5b9e8c792c7bcf1832bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/Dockerfile"}, "region": {"startLine": 117}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 63722, "scanner": "repobility-docker", "fingerprint": "9052619928480151ca262a5747187d72d04465830156994d8c7dd062c33f54a7", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9052619928480151ca262a5747187d72d04465830156994d8c7dd062c33f54a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/Dockerfile"}, "region": {"startLine": 115}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 63719, "scanner": "repobility-agent-runtime", "fingerprint": "71ccfd87725aacf02e924c4ef7945ab6a166ebdba9ffe6bd637408ae15258e9e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|71ccfd87725aacf02e924c4ef7945ab6a166ebdba9ffe6bd637408ae15258e9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docs/install/script.md"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 63688, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c5f443a590281931b9a27e38773676abbbadeae8db7570b091540c9486e1f7cb", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|c5f443a590281931b9a27e38773676abbbadeae8db7570b091540c9486e1f7cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/shared_links_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 63687, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f2bd9b961477d80b28188d1e00b21048596b36bc3e95ed52209626cdcad27da", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|5f2bd9b961477d80b28188d1e00b21048596b36bc3e95ed52209626cdcad27da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/email_notifications_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 63674, "scanner": "repobility-threat-engine", "fingerprint": "e70933c239c565197035683faedb5c6bae0985d58c969ce77a63b003c78e427b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'John Doe'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e70933c239c565197035683faedb5c6bae0985d58c969ce77a63b003c78e427b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/notification-admin.service.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 63669, "scanner": "repobility-threat-engine", "fingerprint": "4faf40c1435c0a5aaa73fdf56a21eb375d83bb7496065511cc1af47f35d8057e", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = '<redacted>'", "reason": "Low entropy value (3.2 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|3|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/repositories/email.repository.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63611, "scanner": "repobility-threat-engine", "fingerprint": "167c00b2525d19116cb45574271c0fded252de211aea73460094525528db0d2c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|17|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/utils/database-backups.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63610, "scanner": "repobility-threat-engine", "fingerprint": "097719d5204c1183a6bdae4e090dbc41d5452b2f0cedd3a563138d33c55d298d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|179|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/hls.service.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63609, "scanner": "repobility-threat-engine", "fingerprint": "934e9f8cab892387cd2504d229a1c34423cf52f71850a8207159bd66b9818093", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|37|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/repositories/server-info.repository.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 63594, "scanner": "repobility-threat-engine", "fingerprint": "438e620ea0639b2b5c2287afd5e0e16dcbc2ed75bf567fc9d6a4a27faea9e755", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://buy.immich.app\" target=\"_blank\" class=\"no-underline hover:no-underline\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|docs/docusaurus.config.js|111|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docusaurus.config.js"}, "region": {"startLine": 111}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 63758, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 63757, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 63756, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 63755, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 63747, "scanner": "repobility-docker", "fingerprint": "0a918eb0e44f845b2cb531580c14e292c25170d0ebb2caac651288e2ad865297", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "immich-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0a918eb0e44f845b2cb531580c14e292c25170d0ebb2caac651288e2ad865297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 63745, "scanner": "repobility-docker", "fingerprint": "d19fc05515c336e81abd0975fb008d71e238f342ad6ca45bfd59341f3dd5df9b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "immich-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d19fc05515c336e81abd0975fb008d71e238f342ad6ca45bfd59341f3dd5df9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 63743, "scanner": "repobility-docker", "fingerprint": "0b028987097f5cda4c958feb24bf2a13b3c75a49dabd84bcec03577f9b543b16", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "e2e-auth-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0b028987097f5cda4c958feb24bf2a13b3c75a49dabd84bcec03577f9b543b16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 63742, "scanner": "repobility-docker", "fingerprint": "933af551799c8ae3da59284a727692eadd60fec3d90708e5d0f72b6cd0e8dcb4", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "e2e-auth-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|933af551799c8ae3da59284a727692eadd60fec3d90708e5d0f72b6cd0e8dcb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 63741, "scanner": "repobility-docker", "fingerprint": "2c92e6b967e7b3482405990d49ed0ab99d737c49a83d148066ce5ccb4f6c8018", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "database", "variables": ["POSTGRES_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|2c92e6b967e7b3482405990d49ed0ab99d737c49a83d148066ce5ccb4f6c8018"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 63737, "scanner": "repobility-docker", "fingerprint": "299c9a166339590654dc581be81d862e7cfd357b0902fdb275318e78d147efe0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "immich-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|299c9a166339590654dc581be81d862e7cfd357b0902fdb275318e78d147efe0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 63735, "scanner": "repobility-docker", "fingerprint": "8507308a5396d0e37283b5cd523efb968c6063f57a1fd0f564cf142b8e0d5f06", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "immich-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8507308a5396d0e37283b5cd523efb968c6063f57a1fd0f564cf142b8e0d5f06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 63732, "scanner": "repobility-docker", "fingerprint": "8bb7bd526f216c291e342443672fe95dd61428244cc10e33474202bb54b74cc7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8bb7bd526f216c291e342443672fe95dd61428244cc10e33474202bb54b74cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile.dev"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 63731, "scanner": "repobility-docker", "fingerprint": "d54059437fc006ea40b967aa2e53d89c40648806c16da8b9119c824602653002", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d54059437fc006ea40b967aa2e53d89c40648806c16da8b9119c824602653002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile.dev"}, "region": {"startLine": 76}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 63730, "scanner": "repobility-docker", "fingerprint": "acd783e8ba3f264c093e72f8de270fa6533b719fe18da1b498abb32be88c361e", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|acd783e8ba3f264c093e72f8de270fa6533b719fe18da1b498abb32be88c361e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile.dev"}, "region": {"startLine": 45}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 63729, "scanner": "repobility-docker", "fingerprint": "5bef7363cb310e2b49e6482134443e996060c7ea64e7bd80a7c9522e8ee32410", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5bef7363cb310e2b49e6482134443e996060c7ea64e7bd80a7c9522e8ee32410"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile.dev"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 63725, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 63721, "scanner": "repobility-docker", "fingerprint": "3c6e8e8645cc4b8b520f077a85937823c7bc7fb9061ca6ead0338019a2cf7780", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3c6e8e8645cc4b8b520f077a85937823c7bc7fb9061ca6ead0338019a2cf7780"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/Dockerfile"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63718, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96e6baccf18a33be3ba6540be65179a675babf7a6775a31624a5e95450714069", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/sync/Messages.g.kt", "duplicate_line": 222, "correlation_key": "fp|96e6baccf18a33be3ba6540be65179a675babf7a6775a31624a5e95450714069"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Sync/Messages.g.swift"}, "region": {"startLine": 201}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63717, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5732970777c16fb4ec9bfc6e4ddc745ba05162ad3d9ef8cf9abd5feb7b6b8cf6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Connectivity/Connectivity.g.swift", "duplicate_line": 17, "correlation_key": "fp|5732970777c16fb4ec9bfc6e4ddc745ba05162ad3d9ef8cf9abd5feb7b6b8cf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Sync/Messages.g.swift"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63716, "scanner": "repobility-ai-code-hygiene", "fingerprint": "468910b0f4430c72a106b56595396f64428d9736986ffa6c36def0296029e0d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Background/BackgroundWorker.g.swift", "duplicate_line": 4, "correlation_key": "fp|468910b0f4430c72a106b56595396f64428d9736986ffa6c36def0296029e0d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Sync/Messages.g.swift"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63715, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc4dbd260446cfa78554b4b9509ad57fa2859edbfbcdd3be80aa7b92fe6b16db", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Permission/PermissionApi.g.swift", "duplicate_line": 1, "correlation_key": "fp|bc4dbd260446cfa78554b4b9509ad57fa2859edbfbcdd3be80aa7b92fe6b16db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Sync/Messages.g.swift"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4dea1396976e0825cce49c19c0a676a26d5d7415c843d17abe3ebe6e9b7d9cfc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Connectivity/Connectivity.g.swift", "duplicate_line": 17, "correlation_key": "fp|4dea1396976e0825cce49c19c0a676a26d5d7415c843d17abe3ebe6e9b7d9cfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Permission/PermissionApi.g.swift"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6d13831b65e866142d00d2ff055d16688321b63736cc66bb9f495dcf28f59704", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Background/BackgroundWorker.g.swift", "duplicate_line": 4, "correlation_key": "fp|6d13831b65e866142d00d2ff055d16688321b63736cc66bb9f495dcf28f59704"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Permission/PermissionApi.g.swift"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3596b13fef8ef14dc7a3bef8029a7b4626b32f7d0f548dfb95171bbcc8af7ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Images/LocalImages.g.swift", "duplicate_line": 82, "correlation_key": "fp|e3596b13fef8ef14dc7a3bef8029a7b4626b32f7d0f548dfb95171bbcc8af7ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Images/RemoteImages.g.swift"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "09a9b1ea0fd2e214d93fc56a3863c559cd24baa46da66ed4169a60549580fe74", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Connectivity/Connectivity.g.swift", "duplicate_line": 17, "correlation_key": "fp|09a9b1ea0fd2e214d93fc56a3863c559cd24baa46da66ed4169a60549580fe74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Images/RemoteImages.g.swift"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6190c76675a5325c081785e660a4000b10772a215735b6d36dd800562f1adec1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Background/BackgroundWorker.g.swift", "duplicate_line": 1, "correlation_key": "fp|6190c76675a5325c081785e660a4000b10772a215735b6d36dd800562f1adec1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Images/RemoteImages.g.swift"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cfa2d157b355916885afdd8b88582c656119b05dc68f2243b8904765809f7f5f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Connectivity/Connectivity.g.swift", "duplicate_line": 17, "correlation_key": "fp|cfa2d157b355916885afdd8b88582c656119b05dc68f2243b8904765809f7f5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Images/LocalImages.g.swift"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0bdfb23da9f1653b25e95e2f2002f3f89ed7d5dc22346c36f1a4436eeb710fab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Background/BackgroundWorker.g.swift", "duplicate_line": 1, "correlation_key": "fp|0bdfb23da9f1653b25e95e2f2002f3f89ed7d5dc22346c36f1a4436eeb710fab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Images/LocalImages.g.swift"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dd8449ce112c7aad63559ddb241f9f1a6e5884a76c15d358a2006976c241f2c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Connectivity/Connectivity.g.swift", "duplicate_line": 17, "correlation_key": "fp|dd8449ce112c7aad63559ddb241f9f1a6e5884a76c15d358a2006976c241f2c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Core/Network.g.swift"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "942af50fbe2ad0aa8e815c4a014e37804104857da2efd76b6fb4cfbcf189cac0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Background/BackgroundWorker.g.swift", "duplicate_line": 1, "correlation_key": "fp|942af50fbe2ad0aa8e815c4a014e37804104857da2efd76b6fb4cfbcf189cac0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Core/Network.g.swift"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9fdd808964427863a40e569d870e4e2933e9b185f9269a717b2b82b7900a606", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/ios/Runner/Background/BackgroundWorker.g.swift", "duplicate_line": 1, "correlation_key": "fp|d9fdd808964427863a40e569d870e4e2933e9b185f9269a717b2b82b7900a606"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Connectivity/Connectivity.g.swift"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87c584ab4394a87396515bbac9f48a1232e5b3d3ada6e84c6778da6b44c15a4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorker.g.kt", "duplicate_line": 15, "correlation_key": "fp|87c584ab4394a87396515bbac9f48a1232e5b3d3ada6e84c6778da6b44c15a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/viewintent/ViewIntent.g.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22b5ff368b99f71c1989b8bb59640d1f698f8fb427c12c0ea10c3987d3dae918", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorker.g.kt", "duplicate_line": 15, "correlation_key": "fp|22b5ff368b99f71c1989b8bb59640d1f698f8fb427c12c0ea10c3987d3dae918"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/sync/Messages.g.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03c14050815730ab162a549793e6628a629ca54a3ece2425e1a244c58f5f43c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/connectivity/Connectivity.g.kt", "duplicate_line": 23, "correlation_key": "fp|03c14050815730ab162a549793e6628a629ca54a3ece2425e1a244c58f5f43c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/permission/PermissionApi.g.kt"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6100361c2387f023bfb5ff03b95358b279684d2b26f1e90580b3fa8fa74bc2c0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorker.g.kt", "duplicate_line": 15, "correlation_key": "fp|6100361c2387f023bfb5ff03b95358b279684d2b26f1e90580b3fa8fa74bc2c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/permission/PermissionApi.g.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a4a887df7e964b78d18c7fbbb25f4cd8ac1afe1d128b3bbf4dde6ffa4c38488", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorker.g.kt", "duplicate_line": 15, "correlation_key": "fp|2a4a887df7e964b78d18c7fbbb25f4cd8ac1afe1d128b3bbf4dde6ffa4c38488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/images/RemoteImages.g.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4245aa3cc918839aa1a8ffc18641bc92ec401d86a39a06c80cb2bb4ccbf1c3a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/connectivity/Connectivity.g.kt", "duplicate_line": 23, "correlation_key": "fp|4245aa3cc918839aa1a8ffc18641bc92ec401d86a39a06c80cb2bb4ccbf1c3a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/images/LocalImages.g.kt"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ead9d20218dfc8c28f1acbdbe09dd31f878c42b0399b5b7585e3b28a6df8ff5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorker.g.kt", "duplicate_line": 15, "correlation_key": "fp|3ead9d20218dfc8c28f1acbdbe09dd31f878c42b0399b5b7585e3b28a6df8ff5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/images/LocalImages.g.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63697, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eac6e2d864bc312ef7a585a48f43c9849a0f35ed1e51b441c48649d8958e34ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorker.g.kt", "duplicate_line": 15, "correlation_key": "fp|eac6e2d864bc312ef7a585a48f43c9849a0f35ed1e51b441c48649d8958e34ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/core/Network.g.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63696, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1635388d1b3d5eeda722ee744eff019cc86c64efd8b6dcca5f90f2a7f8150ecb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorker.g.kt", "duplicate_line": 15, "correlation_key": "fp|1635388d1b3d5eeda722ee744eff019cc86c64efd8b6dcca5f90f2a7f8150ecb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/connectivity/Connectivity.g.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63695, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d162fa2ade5254d638fc56358bb9677dde72afdeec27c238177d317ec498e8d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorker.g.kt", "duplicate_line": 15, "correlation_key": "fp|d162fa2ade5254d638fc56358bb9677dde72afdeec27c238177d317ec498e8d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorkerLock.g.kt"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63694, "scanner": "repobility-ai-code-hygiene", "fingerprint": "86a32588ce3742fa93a18ef8fe2419bc0a9de0e3ba214918322707441e107a1c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e/vitest.config.ts", "duplicate_line": 1, "correlation_key": "fp|86a32588ce3742fa93a18ef8fe2419bc0a9de0e3ba214918322707441e107a1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/vitest.maintenance.config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63693, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7588c0ad30404f817b7ac6ee5d66f74107100f5bf0a18fd54d551810d7ea1bc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e/src/ui/specs/search/search-gallery.e2e-spec.ts", "duplicate_line": 23, "correlation_key": "fp|f7588c0ad30404f817b7ac6ee5d66f74107100f5bf0a18fd54d551810d7ea1bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/src/ui/specs/timeline/timeline.e2e-spec.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63692, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f19eaef1b3c5e2e70986d1f1a051bfb69ab06be5006ab61e957cb6c9deb109ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e/src/ui/specs/asset-viewer/asset-viewer.e2e-spec.ts", "duplicate_line": 19, "correlation_key": "fp|f19eaef1b3c5e2e70986d1f1a051bfb69ab06be5006ab61e957cb6c9deb109ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/src/ui/specs/timeline/timeline.e2e-spec.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63691, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e069f0b72d57828d8ca90ab722e64b917a942b098823ca721a6890174fe26cb3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e/src/specs/maintenance/server/database-backups.e2e-spec.ts", "duplicate_line": 99, "correlation_key": "fp|e069f0b72d57828d8ca90ab722e64b917a942b098823ca721a6890174fe26cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/src/specs/maintenance/server/maintenance.e2e-spec.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63690, "scanner": "repobility-ai-code-hygiene", "fingerprint": "227bf014806c51a17a03da40c29d8da3a0b51cec3bea6658f9441a661cbfd942", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/openapi/lib/model/folders_update.dart", "duplicate_line": 19, "correlation_key": "fp|227bf014806c51a17a03da40c29d8da3a0b51cec3bea6658f9441a661cbfd942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/tags_update.dart"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63689, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5bcedc18404be9808d55fbfe91f8f35b62b4e2c7e798a48de985bd006948fc50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "mobile/openapi/lib/model/folders_update.dart", "duplicate_line": 19, "correlation_key": "fp|5bcedc18404be9808d55fbfe91f8f35b62b4e2c7e798a48de985bd006948fc50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/shared_links_update.dart"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63686, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f6295fca0a7e9ccc6ca07896b8c35dc8d1839f041926c599514a6b0a501481d", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6f6295fca0a7e9ccc6ca07896b8c35dc8d1839f041926c599514a6b0a501481d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/tags_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63685, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a087e3fa8d58b91dd680206b6d01de70299a5121d784fbd19fa140ec6f1143b", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|8a087e3fa8d58b91dd680206b6d01de70299a5121d784fbd19fa140ec6f1143b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/shared_links_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff11630511e6287b6f747b82a4228a40e8e6d301dcbbe5a5b3681f5e5dfdb78f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff11630511e6287b6f747b82a4228a40e8e6d301dcbbe5a5b3681f5e5dfdb78f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/ratings_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63683, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3a775e5930a73732409548d74d476bfab82bceb9e9649f856a6bbbff4c12e2a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c3a775e5930a73732409548d74d476bfab82bceb9e9649f856a6bbbff4c12e2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/purchase_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63682, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b8d631f71b274da7ffaa3280aa52b629b61e9dd07f5a6b3f441586268515edf", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|4b8d631f71b274da7ffaa3280aa52b629b61e9dd07f5a6b3f441586268515edf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/people_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63681, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c2b2e9245f3f50319615c3988b1d6befdeccf59f6754c6d2d9b4fbb548ef382f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c2b2e9245f3f50319615c3988b1d6befdeccf59f6754c6d2d9b4fbb548ef382f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/memories_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63680, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72d64ffac5c4a516701dc3ddd0acf373ac069cee72d84a2ef979d86330a08b06", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|72d64ffac5c4a516701dc3ddd0acf373ac069cee72d84a2ef979d86330a08b06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/folders_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63679, "scanner": "repobility-ai-code-hygiene", "fingerprint": "113e6cd90b932df7de3af82bf13cdff8595966cc32a135836a9d01a6802e156a", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|113e6cd90b932df7de3af82bf13cdff8595966cc32a135836a9d01a6802e156a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/email_notifications_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63678, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb0b4912f5ff348a8e1d9d81d5858f70ae1843ff3bcd4c355639cfc4ec8a1c29", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|cb0b4912f5ff348a8e1d9d81d5858f70ae1843ff3bcd4c355639cfc4ec8a1c29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/download_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63677, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c22ad151557f9e72784c8ef4048aa25ecc6b51674e7a08fbed847ecf07f20378", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c22ad151557f9e72784c8ef4048aa25ecc6b51674e7a08fbed847ecf07f20378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/cast_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63676, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c979fea372f111ab8f7458526c63201a828ff1401b0bd9eea1bf0df588b5c615", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|c979fea372f111ab8f7458526c63201a828ff1401b0bd9eea1bf0df588b5c615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/avatar_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 63675, "scanner": "repobility-ai-code-hygiene", "fingerprint": "129d882f23ec2f5f4c2826e91b2ada7386776f063d814892e70ef654c3c2f467", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|129d882f23ec2f5f4c2826e91b2ada7386776f063d814892e70ef654c3c2f467"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/openapi/lib/model/albums_update.dart"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `execute` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=4, nested_bonus=2, recursion=1."}, "properties": {"repobilityId": 63620, "scanner": "repobility-threat-engine", "fingerprint": "2e67068ad56e5a58c5f174cc172bdab49f062bad4dc4f82a9a36031d26d02553", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "execute", "breakdown": {"if": 4, "for": 1, "recursion": 1, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|2e67068ad56e5a58c5f174cc172bdab49f062bad4dc4f82a9a36031d26d02553"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/sessions/ann/loader.py"}, "region": {"startLine": 138}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `get_model_class` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: case=8, match=1."}, "properties": {"repobilityId": 63619, "scanner": "repobility-threat-engine", "fingerprint": "fc3b2d3452d8c5b9128463330ea5a59330d1afc517c6afbdb473aa399cf7aa81", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_model_class", "breakdown": {"case": 8, "match": 1}, "complexity": 9, "correlation_key": "fp|fc3b2d3452d8c5b9128463330ea5a59330d1afc517c6afbdb473aa399cf7aa81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/models/__init__.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `lifespan` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=1, if=4, nested_bonus=1, ternary=2."}, "properties": {"repobilityId": 63618, "scanner": "repobility-threat-engine", "fingerprint": "a028a15e90a9919a996800e5af9218f4a1a74e0850b1f37553dbc7d13ed59c41", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "lifespan", "breakdown": {"if": 4, "for": 1, "ternary": 2, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|a028a15e90a9919a996800e5af9218f4a1a74e0850b1f37553dbc7d13ed59c41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/main.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `immich-machine-learning` image is selected through a build variable"}, "properties": {"repobilityId": 63739, "scanner": "repobility-docker", "fingerprint": "d9084c7c68c7272829735e3e0f61aab59ebb51b9334fd9ac73e877b28857cbd8", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d9084c7c68c7272829735e3e0f61aab59ebb51b9334fd9ac73e877b28857cbd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `immich-server` image is selected through a build variable"}, "properties": {"repobilityId": 63734, "scanner": "repobility-docker", "fingerprint": "d05a3ee18e99a7de3840de18c85f11ea0b16e0a61140a316f407f472c687ec23", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|d05a3ee18e99a7de3840de18c85f11ea0b16e0a61140a316f407f472c687ec23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 63723, "scanner": "repobility-docker", "fingerprint": "f9b9b58f4cff3e5fa123506fa9caa27bb248be352ceef4c9415048408d8f4b8e", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "prod-${DEVICE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|f9b9b58f4cff3e5fa123506fa9caa27bb248be352ceef4c9415048408d8f4b8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/Dockerfile"}, "region": {"startLine": 117}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 63720, "scanner": "repobility-docker", "fingerprint": "a54b5fa418ba21c03a3d9ffbfe50b48626d28844f391ced6ac940cbf3eaa8753", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "builder-${DEVICE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|a54b5fa418ba21c03a3d9ffbfe50b48626d28844f391ced6ac940cbf3eaa8753"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 63673, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 63668, "scanner": "repobility-threat-engine", "fingerprint": "828e07aa0d4eb162745b89f41879abd80ce51371a9c848e556b415fbf78053a5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|828e07aa0d4eb162745b89f41879abd80ce51371a9c848e556b415fbf78053a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/emails/welcome.email.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 63667, "scanner": "repobility-threat-engine", "fingerprint": "ee07b83da2d5d396ae16da20baabdd26ddc92c507dcefb216aa9f0d8f841b069", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee07b83da2d5d396ae16da20baabdd26ddc92c507dcefb216aa9f0d8f841b069"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/emails/album-update.email.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 63666, "scanner": "repobility-threat-engine", "fingerprint": "7d23fde0a875d968481049c128fe58e01e613ea9efa11e5ef11ce40e79a33d79", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7d23fde0a875d968481049c128fe58e01e613ea9efa11e5ef11ce40e79a33d79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/emails/album-invite.email.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 63665, "scanner": "repobility-threat-engine", "fingerprint": "729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "aggregated_count": 1}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 63664, "scanner": "repobility-threat-engine", "fingerprint": "664b94c17d2a841e40a788c0d713d7918def097b2132b51708af334749fdbfea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|664b94c17d2a841e40a788c0d713d7918def097b2132b51708af334749fdbfea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/repositories/oauth.repository.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 63663, "scanner": "repobility-threat-engine", "fingerprint": "09558ac8f2c42fe0de7dd0e642c624f05b61c160a6d3eafa8d9c3aadd1ccb2f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09558ac8f2c42fe0de7dd0e642c624f05b61c160a6d3eafa8d9c3aadd1ccb2f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/dtos/workflow.dto.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 63662, "scanner": "repobility-threat-engine", "fingerprint": "730029c3e6523e4682b08937066cb9b6e8cc7476bd757f4952edfff7b9edc91c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|730029c3e6523e4682b08937066cb9b6e8cc7476bd757f4952edfff7b9edc91c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/dtos/plugin.dto.ts"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 63661, "scanner": "repobility-threat-engine", "fingerprint": "804196cd5d62088823c396c65bed601b2d80988dabb57f13d599a090226104ba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|804196cd5d62088823c396c65bed601b2d80988dabb57f13d599a090226104ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/commands/reset-admin-password.command.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 63660, "scanner": "repobility-threat-engine", "fingerprint": "5751420659ad04a520c20d5775b2be723cc91635d921d7e2960e98962aaf8cbe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5751420659ad04a520c20d5775b2be723cc91635d921d7e2960e98962aaf8cbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/commands/password-login.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 63659, "scanner": "repobility-threat-engine", "fingerprint": "b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6edddaddab6b62ff63a87b52b7d7b3bab2a5af6b4d7361c1238d18c2c6e3162"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 63658, "scanner": "repobility-threat-engine", "fingerprint": "d8f6803e8fb29f49a6dd33a664b4f387f58154bcccdd994fdd1c9a2ce3106b78", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.debug('Using ID token claims instead of userinfo endpoint')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|9|logger.debug using id token claims instead of userinfo endpoint"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/repositories/oauth.repository.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 63657, "scanner": "repobility-threat-engine", "fingerprint": "316340778770643edac26245056143d866d44c532269e852468729d6f8a84491", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(`The admin password has been updated.`)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|3|console.log the admin password has been updated."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/commands/reset-admin-password.command.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 63656, "scanner": "repobility-threat-engine", "fingerprint": "a61327a6cf074d54349a56a6cadea1a23d4b07c3ce700c5a68fa178d5fee0919", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log('Password login has been enabled.')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|console.log password login has been enabled."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/commands/password-login.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 63655, "scanner": "repobility-threat-engine", "fingerprint": "8ef4fc4a1d1afa020d5157bc26f8e97b25b84982c476e0fc9fc2b462b5f52536", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8ef4fc4a1d1afa020d5157bc26f8e97b25b84982c476e0fc9fc2b462b5f52536", "aggregated_count": 6}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63654, "scanner": "repobility-threat-engine", "fingerprint": "7a03c52a5c6713ab65dc13a26aa5235317505813a6fc7022ba5a35bfb80eb159", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a03c52a5c6713ab65dc13a26aa5235317505813a6fc7022ba5a35bfb80eb159"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/repositories/process.repository.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63653, "scanner": "repobility-threat-engine", "fingerprint": "cc60e0b4350c57c8215d19e48ab29789bc9c82684caa048f5ea5084d61e3614a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc60e0b4350c57c8215d19e48ab29789bc9c82684caa048f5ea5084d61e3614a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/maintenance/maintenance-websocket.repository.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63652, "scanner": "repobility-threat-engine", "fingerprint": "4760182b0e4e4a2be5f0f0aa883344fabffbb71960560103423a7d14d69f5054", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4760182b0e4e4a2be5f0f0aa883344fabffbb71960560103423a7d14d69f5054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/commands/media-location.command.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 63651, "scanner": "repobility-threat-engine", "fingerprint": "57538912af3795c0540dc7f01642271ca5c5abeeb95e0c57ba3741e248014b6d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|57538912af3795c0540dc7f01642271ca5c5abeeb95e0c57ba3741e248014b6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/commands/media-location.command.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 63650, "scanner": "repobility-threat-engine", "fingerprint": "a639a93eaa3cb54f4d2c884a11edbc605ae34386d79680000a38e155e4356417", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a639a93eaa3cb54f4d2c884a11edbc605ae34386d79680000a38e155e4356417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/commands/index.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 63647, "scanner": "repobility-threat-engine", "fingerprint": "17dd83cf3397cfa50961ed7a1eb16167dc11286eb212fcf82fd3bf6e3376bd8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|17dd83cf3397cfa50961ed7a1eb16167dc11286eb212fcf82fd3bf6e3376bd8c", "aggregated_count": 7}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63646, "scanner": "repobility-threat-engine", "fingerprint": "453866226931c6b7200d49e40206d6d3128598a4f25d8d775960969070c434b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|453866226931c6b7200d49e40206d6d3128598a4f25d8d775960969070c434b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/decorators.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63645, "scanner": "repobility-threat-engine", "fingerprint": "8553fddee8e48e0d8828546f24c889bde832fd48296a93c5f6ee0b0e0e6d9d1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8553fddee8e48e0d8828546f24c889bde832fd48296a93c5f6ee0b0e0e6d9d1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugin-sdk/src/host-functions.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63644, "scanner": "repobility-threat-engine", "fingerprint": "6e41c8f4e2610d9c69e394755db64792889b48493cdafafa393d9870a7b8777d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e41c8f4e2610d9c69e394755db64792889b48493cdafafa393d9870a7b8777d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils.ts"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 63643, "scanner": "repobility-threat-engine", "fingerprint": "38940797db9a4ebd3facf8160ccaacf7d8d0df50516b6420787f039016894fd9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|38940797db9a4ebd3facf8160ccaacf7d8d0df50516b6420787f039016894fd9", "aggregated_count": 5}}}, {"ruleId": "MINED008", "level": "none", "message": {"text": "[MINED008] Swift Force Unwrap (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 63636, "scanner": "repobility-threat-engine", "fingerprint": "bb6e4357f9c93d6ffd44067d0cfcffe1e739ea3c8be0eb81be0971e3e0fd5738", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bb6e4357f9c93d6ffd44067d0cfcffe1e739ea3c8be0eb81be0971e3e0fd5738", "aggregated_count": 2}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 63632, "scanner": "repobility-threat-engine", "fingerprint": "53103c05bfc09d5f78d4ca6cd65cdd3da7e864ad9e7964b978f0870682cfcdf9", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|22|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/utils/profile-image.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 63631, "scanner": "repobility-threat-engine", "fingerprint": "c3334109b5d0dcc96ebc19db63ce6ee582cc68742cb5407d586210174c02e34e", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|67|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/e2e-auth-server/auth-server.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 63630, "scanner": "repobility-threat-engine", "fingerprint": "b3ce1975410b9f6b75cfe68c166ea982100af3920692ecd6659d2df4e6f71fdb", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "UUID.randomUUID()", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|131|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/widget/ImageDownloadWorker.kt"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 63628, "scanner": "repobility-threat-engine", "fingerprint": "38c44da107fcc85a64dd6d9791c97895a3b3230d93aaac6a32c6f804a6b3119f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38c44da107fcc85a64dd6d9791c97895a3b3230d93aaac6a32c6f804a6b3119f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/cpp/native_buffer.c"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 63627, "scanner": "repobility-threat-engine", "fingerprint": "f58bcd3297c4bf46555d1e935b186a094aea70b6f9144c285bb851ed719ed317", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f58bcd3297c4bf46555d1e935b186a094aea70b6f9144c285bb851ed719ed317"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/scripts/healthcheck.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 63626, "scanner": "repobility-threat-engine", "fingerprint": "a101b79d5fc3d22c55ab003f571c927c8e7e0c0474b28a7b532464c811993ffd", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.get(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|a101b79d5fc3d22c55ab003f571c927c8e7e0c0474b28a7b532464c811993ffd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/scripts/healthcheck.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 63625, "scanner": "repobility-threat-engine", "fingerprint": "2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 63621, "scanner": "repobility-threat-engine", "fingerprint": "374b2f9ca97c941ea8799534a3f6a7246c4a413e5ec69c34d7f4988e5034f739", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "lifespan", "breakdown": {"if": 4, "for": 1, "ternary": 2, "nested_bonus": 1}, "aggregated": true, "complexity": 8, "correlation_key": "fp|374b2f9ca97c941ea8799534a3f6a7246c4a413e5ec69c34d7f4988e5034f739", "aggregated_count": 2}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 63616, "scanner": "repobility-threat-engine", "fingerprint": "86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 63615, "scanner": "repobility-threat-engine", "fingerprint": "1be705b2a4f56cae57bb15208ba56ba850bcb5c941f5dd0badf80755781145d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1be705b2a4f56cae57bb15208ba56ba850bcb5c941f5dd0badf80755781145d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/models/clip/textual.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 63614, "scanner": "repobility-threat-engine", "fingerprint": "4b092d073f99a6469d23d0a572339cf4b3c31f32169a213294a702bb7f884e6e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b092d073f99a6469d23d0a572339cf4b3c31f32169a213294a702bb7f884e6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/models/base.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 63613, "scanner": "repobility-threat-engine", "fingerprint": "6a9a9df259b7ff378b70df5ecdc6447e0da49dbd75d1abb8178cbb71e49134ba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a9a9df259b7ff378b70df5ecdc6447e0da49dbd75d1abb8178cbb71e49134ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/ann/export/run.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 63612, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 63608, "scanner": "repobility-threat-engine", "fingerprint": "46e7c112e8844445a215db092ceff375c08f157716263942fda3df926668bc92", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46e7c112e8844445a215db092ceff375c08f157716263942fda3df926668bc92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/ann/ann.cpp"}, "region": {"startLine": 273}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 63607, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63606, "scanner": "repobility-threat-engine", "fingerprint": "d7c5f91288603cdb20bf50099542eb91d6c695ca9717a6f2876fd40be57e2488", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7c5f91288603cdb20bf50099542eb91d6c695ca9717a6f2876fd40be57e2488"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/integration_test/test_utils/fake_immich_server.dart"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63605, "scanner": "repobility-threat-engine", "fingerprint": "fa2b11f80e3eb7ca807dfce312a4468e10460b6fc643ec3eaac015b4a6d7246a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa2b11f80e3eb7ca807dfce312a4468e10460b6fc643ec3eaac015b4a6d7246a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/scripts/healthcheck.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63604, "scanner": "repobility-threat-engine", "fingerprint": "7f95e1c7b79f7baea8ad099703adda969ed90d193df8d4c9edc888ae07b15fc1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7f95e1c7b79f7baea8ad099703adda969ed90d193df8d4c9edc888ae07b15fc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "install.sh"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 63603, "scanner": "repobility-threat-engine", "fingerprint": "6c343569363dd0a3833bf7122ebe77c77c7fe0326e0e996e6706685c8f85b729", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6c343569363dd0a3833bf7122ebe77c77c7fe0326e0e996e6706685c8f85b729", "aggregated_count": 23}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63602, "scanner": "repobility-threat-engine", "fingerprint": "95b17d512addb6307863ee783244dae703ae1d5b92479b3969e59755abe1690a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|95b17d512addb6307863ee783244dae703ae1d5b92479b3969e59755abe1690a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/auth.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63601, "scanner": "repobility-threat-engine", "fingerprint": "4c32c8674241d1492ef4ebb3124e96289ef9fed0a911684823d569a8b13e8bde", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c32c8674241d1492ef4ebb3124e96289ef9fed0a911684823d569a8b13e8bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "misc/release/archive-version.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63600, "scanner": "repobility-threat-engine", "fingerprint": "3d45b30832f16e27769705f5832ee986543d909b0178d9c92668d24d88303e3c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d45b30832f16e27769705f5832ee986543d909b0178d9c92668d24d88303e3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/version-switcher.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 63599, "scanner": "repobility-threat-engine", "fingerprint": "2e3607151b79226e1f988d03377240b01f057a39282b8ee7334800f3ede61bb1", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2e3607151b79226e1f988d03377240b01f057a39282b8ee7334800f3ede61bb1"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 63595, "scanner": "repobility-threat-engine", "fingerprint": "4b4f892109e65c12114565727263ae32fe6a42ffae5db64ff98b4880b53de8af", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b4f892109e65c12114565727263ae32fe6a42ffae5db64ff98b4880b53de8af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/timeline.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `immich-app/devtools/.github/workflows/shared-pr-require-conventional-commit.yml` pinned to mutable ref `@main`: `uses: immich-app/devtools/.github/workflows/shared-pr-require-conventional-commit.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63841, "scanner": "repobility-supply-chain", "fingerprint": "b6e33d069d66c50e49bf53c7bfe0cbad6939586251c96635ebfa27abc3ce8be2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6e33d069d66c50e49bf53c7bfe0cbad6939586251c96635ebfa27abc3ce8be2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/org-pr-require-conventional-commit.yml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `immich-machine-learning` unpinned: `container/services image: immich-machine-learning` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 63840, "scanner": "repobility-supply-chain", "fingerprint": "9fdaf403b8f34a7af003b731c1c35d8783f60294fc906558391f70a5ce6d891c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fdaf403b8f34a7af003b731c1c35d8783f60294fc906558391f70a5ce6d891c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `immich-app/devtools/.github/workflows/shared-zizmor.yml` pinned to mutable ref `@main`: `uses: immich-app/devtools/.github/workflows/shared-zizmor.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63839, "scanner": "repobility-supply-chain", "fingerprint": "2c532aa56df85452d99407924e89305c91b75584af0f60d21e42956ce630921d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c532aa56df85452d99407924e89305c91b75584af0f60d21e42956ce630921d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/org-zizmor.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `dev-container-server (no tag)` not pinned by digest: `FROM dev-container-server (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 63813, "scanner": "repobility-supply-chain", "fingerprint": "4953ba0f3f30d23d36546273e446ccde9612b1846498af667ac6c7a3b195068f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4953ba0f3f30d23d36546273e446ccde9612b1846498af667ac6c7a3b195068f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile.dev"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PATCH immich_ml.models.cache.SimpleMemoryCache.expire has no auth: Handler `test_revalidate_get` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 63812, "scanner": "repobility-route-auth", "fingerprint": "3297d0ea278881bf751a1c7284aadf4df21f0c3c16d1c4e895b73051e17504f6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|3297d0ea278881bf751a1c7284aadf4df21f0c3c16d1c4e895b73051e17504f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1131}}}]}, {"ruleId": "MINED112", "level": "error", "message": {"text": "[MINED112] FastAPI PATCH immich_ml.models.cache.OptimisticLock has no auth: Handler `test_model_ttl` is registered with router/app.patch(...) but no Depends/Security parameter is declared and no auth marker appears in the function body."}, "properties": {"repobilityId": 63811, "scanner": "repobility-route-auth", "fingerprint": "a0176942112ea2060fcf78ddc9fece759c1c6ec99e8d8677dada0ba2de11725d", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "fastapi-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 10455}, "scanner": "repobility-route-auth", "correlation_key": "fp|a0176942112ea2060fcf78ddc9fece759c1c6ec99e8d8677dada0ba2de11725d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1125}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._sess_options` used but never assigned in __init__: Method `sess_options` of class `OrtSession` reads `self._sess_options`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63810, "scanner": "repobility-ast-engine", "fingerprint": "300cc876adfb6f0e6f8b511950326987823190732d82b9ad10c4596aa5eff810", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|300cc876adfb6f0e6f8b511950326987823190732d82b9ad10c4596aa5eff810"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/sessions/ort.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._provider_options` used but never assigned in __init__: Method `provider_options` of class `OrtSession` reads `self._provider_options`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63809, "scanner": "repobility-ast-engine", "fingerprint": "d6f321645b5abc0d2adc3b8470096ed95ecd1c5538489245a9c23fe804a59ff5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d6f321645b5abc0d2adc3b8470096ed95ecd1c5538489245a9c23fe804a59ff5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/sessions/ort.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._provider_options` used but never assigned in __init__: Method `provider_options` of class `OrtSession` reads `self._provider_options`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63808, "scanner": "repobility-ast-engine", "fingerprint": "b9236148b49ba8c4c937221e455c0af83f8212bde9c31e162b7d207acb96f521", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b9236148b49ba8c4c937221e455c0af83f8212bde9c31e162b7d207acb96f521"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/sessions/ort.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._providers` used but never assigned in __init__: Method `providers` of class `OrtSession` reads `self._providers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63807, "scanner": "repobility-ast-engine", "fingerprint": "f1d328504dfb6711715b6dafcb0b45e02f03fdfe02cd44ffd000cb286ed1b21b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f1d328504dfb6711715b6dafcb0b45e02f03fdfe02cd44ffd000cb286ed1b21b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/sessions/ort.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._providers` used but never assigned in __init__: Method `providers` of class `OrtSession` reads `self._providers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63806, "scanner": "repobility-ast-engine", "fingerprint": "4e32f8c8e15d4d8e72a83855be8660f5c90f0b0059392570d5bfce1fe520cbae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e32f8c8e15d4d8e72a83855be8660f5c90f0b0059392570d5bfce1fe520cbae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/sessions/ort.py"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.device` used but never assigned in __init__: Method `forward` of class `ClipVision` reads `self.device`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63805, "scanner": "repobility-ast-engine", "fingerprint": "c38edb98cd0d06f4296894fa03aed6376afc53a7fedb473a2f1a2f458f6ae3c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c38edb98cd0d06f4296894fa03aed6376afc53a7fedb473a2f1a2f458f6ae3c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/ann/export/run.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.device` used but never assigned in __init__: Method `dummy_input` of class `RetinaFace` reads `self.device`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63804, "scanner": "repobility-ast-engine", "fingerprint": "2d2701593fbba87b1d48221370839a2745950ee8f7baed5d427dc9e99e9ed923", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2d2701593fbba87b1d48221370839a2745950ee8f7baed5d427dc9e99e9ed923"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/ann/export/run.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.device` used but never assigned in __init__: Method `forward` of class `RetinaFace` reads `self.device`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63803, "scanner": "repobility-ast-engine", "fingerprint": "90b01f7f8e032cc490d5803fd8e4aea9a6d1ae9345dadd5777b6bd9d6a4b85a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|90b01f7f8e032cc490d5803fd8e4aea9a6d1ae9345dadd5777b6bd9d6a4b85a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/ann/export/run.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.device` used but never assigned in __init__: Method `dummy_input` of class `ArcFace` reads `self.device`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63802, "scanner": "repobility-ast-engine", "fingerprint": "90a2f60b08c057eee1174ebfc6a530cc86f8c0e630fc1006869d57758520e098", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|90a2f60b08c057eee1174ebfc6a530cc86f8c0e630fc1006869d57758520e098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/ann/export/run.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.device` used but never assigned in __init__: Method `forward` of class `ArcFace` reads `self.device`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63801, "scanner": "repobility-ast-engine", "fingerprint": "e7ccb666bd4db3b4da852b6ccf7c8ad2d796fa0327f077e6139f15d1f26b376e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e7ccb666bd4db3b4da852b6ccf7c8ad2d796fa0327f077e6139f15d1f26b376e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/ann/export/run.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.sockets` used but never assigned in __init__: Method `_serve` of class `CustomUvicornWorker` reads `self.sockets`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63800, "scanner": "repobility-ast-engine", "fingerprint": "f5b9d00c899ee4331883119562a99cb358cbd76d134630e04fa399196e4d7cc2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f5b9d00c899ee4331883119562a99cb358cbd76d134630e04fa399196e4d7cc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/config.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.config` used but never assigned in __init__: Method `_serve` of class `CustomUvicornWorker` reads `self.config`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63799, "scanner": "repobility-ast-engine", "fingerprint": "548a7fc8c5ad902aa9f58b17792753859e3b0cf626780efbc116b73c9bd89fbc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|548a7fc8c5ad902aa9f58b17792753859e3b0cf626780efbc116b73c9bd89fbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/config.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._install_sigquit_handler` used but never assigned in __init__: Method `_serve` of class `CustomUvicornWorker` reads `self._install_sigquit_handler`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63798, "scanner": "repobility-ast-engine", "fingerprint": "9a03eb4509ab0395a7e86902bddbb2065b2e2c8f38174172de5cd17fe0d7c9b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a03eb4509ab0395a7e86902bddbb2065b2e2c8f38174172de5cd17fe0d7c9b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/config.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.config` used but never assigned in __init__: Method `_serve` of class `CustomUvicornWorker` reads `self.config`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63797, "scanner": "repobility-ast-engine", "fingerprint": "6f5af889ddbc4211ab7ae80f6eb62c8d059bab3376d3e9989042338fb4384ca1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6f5af889ddbc4211ab7ae80f6eb62c8d059bab3376d3e9989042338fb4384ca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/config.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wsgi` used but never assigned in __init__: Method `_serve` of class `CustomUvicornWorker` reads `self.wsgi`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63796, "scanner": "repobility-ast-engine", "fingerprint": "6b37788f4989f3e0586d7208d92e11c252d6d254185684c578e8083ea2d88bbf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6b37788f4989f3e0586d7208d92e11c252d6d254185684c578e8083ea2d88bbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/config.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.environment` used but never assigned in __init__: Method `recognize` of class `RecognitionFormDataLoadTest` reads `self.environment`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63795, "scanner": "repobility-ast-engine", "fingerprint": "9a27772d4243ed416b5cb402687baf94652cb63729181cfd21ccb3eacfe24f09", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9a27772d4243ed416b5cb402687baf94652cb63729181cfd21ccb3eacfe24f09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.environment` used but never assigned in __init__: Method `recognize` of class `RecognitionFormDataLoadTest` reads `self.environment`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63794, "scanner": "repobility-ast-engine", "fingerprint": "a3724e4e7563d6e5d128c61dfe8c2f8b299b3387006c51defa182e202a968e17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3724e4e7563d6e5d128c61dfe8c2f8b299b3387006c51defa182e202a968e17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.environment` used but never assigned in __init__: Method `recognize` of class `RecognitionFormDataLoadTest` reads `self.environment`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63793, "scanner": "repobility-ast-engine", "fingerprint": "b310dcc9e0dee07ab47eb126507c4c18fbd6f51741b2bb9160b23c9009145e81", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b310dcc9e0dee07ab47eb126507c4c18fbd6f51741b2bb9160b23c9009145e81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.client` used but never assigned in __init__: Method `recognize` of class `RecognitionFormDataLoadTest` reads `self.client`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63792, "scanner": "repobility-ast-engine", "fingerprint": "28a267fe81c4a5965ce07d79069e7db0a7f2152c35d98b07c36b4af5659333b6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|28a267fe81c4a5965ce07d79069e7db0a7f2152c35d98b07c36b4af5659333b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.data` used but never assigned in __init__: Method `recognize` of class `RecognitionFormDataLoadTest` reads `self.data`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63791, "scanner": "repobility-ast-engine", "fingerprint": "d2abee6d3d54487be41fb4140ec049247051aafff7ab28ce21c6a3ec1869c5ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d2abee6d3d54487be41fb4140ec049247051aafff7ab28ce21c6a3ec1869c5ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.environment` used but never assigned in __init__: Method `encode_image` of class `CLIPVisionFormDataLoadTest` reads `self.environment`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63790, "scanner": "repobility-ast-engine", "fingerprint": "e031e8d97e64f8d6d7d58ace42af84ab7162ced202ffe3d647b698403a913bbf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e031e8d97e64f8d6d7d58ace42af84ab7162ced202ffe3d647b698403a913bbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.client` used but never assigned in __init__: Method `encode_image` of class `CLIPVisionFormDataLoadTest` reads `self.client`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63789, "scanner": "repobility-ast-engine", "fingerprint": "4e6571b06d79ca62c0931d3c1b01be030aab558e953c68d223ab2faa260dfb50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4e6571b06d79ca62c0931d3c1b01be030aab558e953c68d223ab2faa260dfb50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.data` used but never assigned in __init__: Method `encode_image` of class `CLIPVisionFormDataLoadTest` reads `self.data`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63788, "scanner": "repobility-ast-engine", "fingerprint": "0bd77fc15e50c0bb1f885f7248c72aeba51fbf4699c6c51b241bf3d430549256", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0bd77fc15e50c0bb1f885f7248c72aeba51fbf4699c6c51b241bf3d430549256"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.environment` used but never assigned in __init__: Method `encode_text` of class `CLIPTextFormDataLoadTest` reads `self.environment`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63787, "scanner": "repobility-ast-engine", "fingerprint": "b27b7a2ce9a7b3de451b97a661be8f054e83b7abe8f9f540ebc6ebb77142f94c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b27b7a2ce9a7b3de451b97a661be8f054e83b7abe8f9f540ebc6ebb77142f94c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.client` used but never assigned in __init__: Method `encode_text` of class `CLIPTextFormDataLoadTest` reads `self.client`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 63786, "scanner": "repobility-ast-engine", "fingerprint": "929a3e2ce2645af4d1c57be48aab2f9e88079196d0c64e3b014f0061a74b1a96", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|929a3e2ce2645af4d1c57be48aab2f9e88079196d0c64e3b014f0061a74b1a96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/locustfile.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_load_raises_if_os_error_and_already_retried: Test function `test_load_raises_if_os_error_and_already_retried` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63785, "scanner": "repobility-ast-engine", "fingerprint": "52204d23d50104d7065efcd6f1d98cd67fb839af30e8b35531f0c578dfe52154", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|52204d23d50104d7065efcd6f1d98cd67fb839af30e8b35531f0c578dfe52154"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1301}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_raises_exception_if_unknown_model_name: Test function `test_raises_exception_if_unknown_model_name` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63784, "scanner": "repobility-ast-engine", "fingerprint": "2f74e7e9a808cc27901a591ec5f64917450960fd4b0ee892b880c1200ea32926", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f74e7e9a808cc27901a591ec5f64917450960fd4b0ee892b880c1200ea32926"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1159}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_raises_exception_if_invalid_model_type: Test function `test_raises_exception_if_invalid_model_type` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63783, "scanner": "repobility-ast-engine", "fingerprint": "7764630cb52fb8876cbf9bea5e18505cac6c3fd911fa6e0897d869d539b7e3cf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7764630cb52fb8876cbf9bea5e18505cac6c3fd911fa6e0897d869d539b7e3cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1152}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_revalidate_get: Test function `test_revalidate_get` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63782, "scanner": "repobility-ast-engine", "fingerprint": "c9799a5e2e575ac6f8ec80ff060c6c21b33aa9898671848b1c8c2cc6dfbe5e9b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9799a5e2e575ac6f8ec80ff060c6c21b33aa9898671848b1c8c2cc6dfbe5e9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1131}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_model_ttl: Test function `test_model_ttl` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63781, "scanner": "repobility-ast-engine", "fingerprint": "4ad0bd2caa01c52bc1840f1ee294c2d8940228f643e772443cb88f1599936624", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ad0bd2caa01c52bc1840f1ee294c2d8940228f643e772443cb88f1599936624"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1125}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_kwargs_used: Test function `test_kwargs_used` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63780, "scanner": "repobility-ast-engine", "fingerprint": "e0a07ed97662161276cea6dbeea5a82ef517114a8b7baa1c4a3cbc6d1728b81f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e0a07ed97662161276cea6dbeea5a82ef517114a8b7baa1c4a3cbc6d1728b81f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1103}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_ignore_other_custom_max_batch_size: Test function `test_ignore_other_custom_max_batch_size` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63779, "scanner": "repobility-ast-engine", "fingerprint": "5c1de91bf35197c6ec5f86b5e513ad017697fcb9107609aed7d35cb2de7c519d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5c1de91bf35197c6ec5f86b5e513ad017697fcb9107609aed7d35cb2de7c519d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1073}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_set_custom_max_batch_size: Test function `test_set_custom_max_batch_size` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63778, "scanner": "repobility-ast-engine", "fingerprint": "1e14389860f3e6c96f13ae96f1250dac80f25df47ae98da4ec4fb6fbdb4b54fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e14389860f3e6c96f13ae96f1250dac80f25df47ae98da4ec4fb6fbdb4b54fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1055}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_set_rec_set_default_max_batch_size: Test function `test_set_rec_set_default_max_batch_size` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63777, "scanner": "repobility-ast-engine", "fingerprint": "08580223e36a3262183266354a02076ec2dd1ae14aef5a20999087e228833304", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|08580223e36a3262183266354a02076ec2dd1ae14aef5a20999087e228833304"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 1036}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_openclip_tokenizer_does_not_add_flores_token_for_non_nllb_model: Test function `test_openclip_tokenizer_does_not_add_flores_token_for_non_nllb_model` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63776, "scanner": "repobility-ast-engine", "fingerprint": "7f7fbc62a8e3630c9335c6d321f9738094a033f9a289f15c6da33868ff81d6d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7f7fbc62a8e3630c9335c6d321f9738094a033f9a289f15c6da33868ff81d6d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 735}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_openclip_tokenizer_falls_back_to_english_for_nllb_if_language_code_not_found: Test function `test_openclip_tokenizer_falls_back_to_english_for_nllb_if_language_code_not_found` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63775, "scanner": "repobility-ast-engine", "fingerprint": "1519cd0fb1fbff989df3366f50ee96a3bfbeec626693dd0070b0ac429915b32a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1519cd0fb1fbff989df3366f50ee96a3bfbeec626693dd0070b0ac429915b32a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 713}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_openclip_tokenizer_removes_country_code_from_language_for_nllb_if_not_found: Test function `test_openclip_tokenizer_removes_country_code_from_language_for_nllb_if_not_found` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63774, "scanner": "repobility-ast-engine", "fingerprint": "05232be1b6d0c135c4eefdade35ad91c1686bab481a4bc23619cae1b210ccb2a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|05232be1b6d0c135c4eefdade35ad91c1686bab481a4bc23619cae1b210ccb2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 693}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_openclip_tokenizer_adds_flores_token_for_nllb: Test function `test_openclip_tokenizer_adds_flores_token_for_nllb` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63773, "scanner": "repobility-ast-engine", "fingerprint": "89e862624b7691dff79e3b4a173fa8cee46195cdfa01b91d5a7218bf24fad3b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89e862624b7691dff79e3b4a173fa8cee46195cdfa01b91d5a7218bf24fad3b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 673}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_creates_rknn_session: Test function `test_creates_rknn_session` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63772, "scanner": "repobility-ast-engine", "fingerprint": "6eb61e83516f97eddfc616f1d8c573fe862c63db4522725a601fcc11d0085524", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6eb61e83516f97eddfc616f1d8c573fe862c63db4522725a601fcc11d0085524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 548}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_creates_ann_session: Test function `test_creates_ann_session` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63771, "scanner": "repobility-ast-engine", "fingerprint": "eb160b7ffdc8a8e6248e4abfedf9c218428239f7bd68a6e9bcade2dd91cc7e97", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eb160b7ffdc8a8e6248e4abfedf9c218428239f7bd68a6e9bcade2dd91cc7e97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 494}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_does_not_serialize_non_rocm_run: Test function `test_does_not_serialize_non_rocm_run` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63770, "scanner": "repobility-ast-engine", "fingerprint": "baea336ff6405d91f4efea5bc3049de26e0d1645fff06c12ae63ee48ce1392a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|baea336ff6405d91f4efea5bc3049de26e0d1645fff06c12ae63ee48ce1392a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 480}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_serializes_rocm_first_run_for_new_input_signature: Test function `test_serializes_rocm_first_run_for_new_input_signature` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63769, "scanner": "repobility-ast-engine", "fingerprint": "5d2433d1bf43e0d58fcac000642a3cdea80859d24cab2df41a9edfbf20f5124d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d2433d1bf43e0d58fcac000642a3cdea80859d24cab2df41a9edfbf20f5124d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 446}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_throws_exception_if_model_path_does_not_exist: Test function `test_throws_exception_if_model_path_does_not_exist` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63768, "scanner": "repobility-ast-engine", "fingerprint": "8a6f0ac6a7cecaa9e23f5fa7a0e2105fcff47b2fb836f0c9334353417ba437b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8a6f0ac6a7cecaa9e23f5fa7a0e2105fcff47b2fb836f0c9334353417ba437b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_download_downloads_rknn_if_preferred_format: Test function `test_download_downloads_rknn_if_preferred_format` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63767, "scanner": "repobility-ast-engine", "fingerprint": "6152530fd97d9cf409c1bde628c4b501977cb479beb04f0b904ad5971653c3d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6152530fd97d9cf409c1bde628c4b501977cb479beb04f0b904ad5971653c3d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_download_downloads_armnn_if_preferred_format: Test function `test_download_downloads_armnn_if_preferred_format` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63766, "scanner": "repobility-ast-engine", "fingerprint": "95a08fd8285148837ae37013bfd166219c79c981e3d81a23d1ef8d792f662d26", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|95a08fd8285148837ae37013bfd166219c79c981e3d81a23d1ef8d792f662d26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_download: Test function `test_download` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63765, "scanner": "repobility-ast-engine", "fingerprint": "038fbc39818a568a25952515f7b15c7c1c3cdedb59377f5ba2bc4549ebab6719", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|038fbc39818a568a25952515f7b15c7c1c3cdedb59377f5ba2bc4549ebab6719"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_clear_cache_replaces_file_with_dir_if_path_is_file: Test function `test_clear_cache_replaces_file_with_dir_if_path_is_file` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63764, "scanner": "repobility-ast-engine", "fingerprint": "0faa007a5173a46b5b105662d5e0aa8e5758c11b9899bd77fd4fe07e8b13ccdb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0faa007a5173a46b5b105662d5e0aa8e5758c11b9899bd77fd4fe07e8b13ccdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_clear_cache_raises_exception_if_vulnerable_to_symlink_attack: Test function `test_clear_cache_raises_exception_if_vulnerable_to_symlink_attack` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63763, "scanner": "repobility-ast-engine", "fingerprint": "80f81021c16f71fae652a74f78f48477ec6300c34a454e8fa7b99e711349e94e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|80f81021c16f71fae652a74f78f48477ec6300c34a454e8fa7b99e711349e94e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_clear_cache_warns_if_path_does_not_exist: Test function `test_clear_cache_warns_if_path_does_not_exist` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63762, "scanner": "repobility-ast-engine", "fingerprint": "aae24858d0cd67c733da6cf302b8fa2642a8d25008abf06e008fe5a66d707b5b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aae24858d0cd67c733da6cf302b8fa2642a8d25008abf06e008fe5a66d707b5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_clear_cache: Test function `test_clear_cache` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 63761, "scanner": "repobility-ast-engine", "fingerprint": "49d859b23c7f89168f95d34c92004115900dc34f3ddf0aeac4b82c77f277dbc9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|49d859b23c7f89168f95d34c92004115900dc34f3ddf0aeac4b82c77f277dbc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/test_main.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 63754, "scanner": "repobility-journey-contract", "fingerprint": "4ae379576faaccd92ff7bbf163eaebf5341dbed098f6bb1f4df2fbb43fce710e", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|e2e/src/responses.ts|13|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 3}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/src/responses.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 63752, "scanner": "repobility-docker", "fingerprint": "ba831b8153969cb21f4e20389b1944b16f792ffa75a3d367f376a334105a7dba", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "database", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|ba831b8153969cb21f4e20389b1944b16f792ffa75a3d367f376a334105a7dba", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 63751, "scanner": "repobility-docker", "fingerprint": "864caf761aa414a4f96db0b7cb0a530ab298855332b7ac01c9411e407d0a2ef5", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5435:5432", "target": "5432", "host_ip": "", "published": "5435"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "database", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|864caf761aa414a4f96db0b7cb0a530ab298855332b7ac01c9411e407d0a2ef5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/docker-compose.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "DKC009", "level": "error", "message": {"text": "Compose service bind-mounts a sensitive host path"}, "properties": {"repobilityId": 63736, "scanner": "repobility-docker", "fingerprint": "894c693471a0ea82d407ae2be4c6c22e80feda45d08c2c2794653e9324e5f991", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Bind mount source points at a sensitive host path.", "evidence": {"source": "/etc/localtime", "rule_id": "DKC009", "scanner": "repobility-docker", "service": "immich-server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|894c693471a0ea82d407ae2be4c6c22e80feda45d08c2c2794653e9324e5f991"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR001", "level": "error", "message": {"text": "Docker final stage runs as root"}, "properties": {"repobilityId": 63733, "scanner": "repobility-docker", "fingerprint": "84e541bfdb495f45c0f6343dd60a9e6e1a60cca2307cbf699ca3ffc116146f79", "category": "docker", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Final Dockerfile USER resolves to root.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_user": "root", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|84e541bfdb495f45c0f6343dd60a9e6e1a60cca2307cbf699ca3ffc116146f79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/Dockerfile.dev"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63672, "scanner": "repobility-threat-engine", "fingerprint": "7511cac9c6e5c79e919e8efa31d10be3682a5a3a1148d20bf1a155b911c32790", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(filename", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7511cac9c6e5c79e919e8efa31d10be3682a5a3a1148d20bf1a155b911c32790"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/utils/database-backups.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63671, "scanner": "repobility-threat-engine", "fingerprint": "3ea42a3c3116e15e821f38cf843004c923aaebc10c85ff2ed58879e563006071", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(filename", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3ea42a3c3116e15e821f38cf843004c923aaebc10c85ff2ed58879e563006071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/hls.service.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63670, "scanner": "repobility-threat-engine", "fingerprint": "4078c71317f18e5f239d0ef71dfbea9b2d505177412ddcbc0c521199f44d9cc7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4078c71317f18e5f239d0ef71dfbea9b2d505177412ddcbc0c521199f44d9cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/repositories/server-info.repository.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 63649, "scanner": "repobility-threat-engine", "fingerprint": "7cd9cf4f8cd111915034a3c4b071f0708d23bd616fec5a15214b1c231c9d82a2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(searchPattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7cd9cf4f8cd111915034a3c4b071f0708d23bd616fec5a15214b1c231c9d82a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugin-core/src/index.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED099", "level": "error", "message": {"text": "[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials."}, "properties": {"repobilityId": 63648, "scanner": "repobility-threat-engine", "fingerprint": "38cf8279662f1f073ab7948f5d433ff722c6b97cbca643d1d6350db9b0b1c615", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "hardcoded-secret", "owasp": "A07:2021", "cwe_ids": ["CWE-798"], "languages": [], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 8, "observations_count": 88419, "ai_coder_pattern_id": 9}, "scanner": "repobility-threat-engine", "correlation_key": "fp|38cf8279662f1f073ab7948f5d433ff722c6b97cbca643d1d6350db9b0b1c615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/e2e-auth-server/test-keys.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 63642, "scanner": "repobility-threat-engine", "fingerprint": "678b013f1c174b9b017f92536991f969593bc3e10543a5540aae2c11992d96ea", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|678b013f1c174b9b017f92536991f969593bc3e10543a5540aae2c11992d96ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/controllers/asset-media.controller.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 63641, "scanner": "repobility-threat-engine", "fingerprint": "7de2f1bb51a7108fee0e0b575b3a9c6b078fad744fbcfe1ac3c1054b921ae4a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7de2f1bb51a7108fee0e0b575b3a9c6b078fad744fbcfe1ac3c1054b921ae4a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugin-sdk/src/types.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 63640, "scanner": "repobility-threat-engine", "fingerprint": "ec355f640f855992c6d82d68e152b32b4d36948f8b53c9b1275ea87cff17b06b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec355f640f855992c6d82d68e152b32b4d36948f8b53c9b1275ea87cff17b06b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils.ts"}, "region": {"startLine": 196}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 63639, "scanner": "repobility-threat-engine", "fingerprint": "53edef7d19dfaef7e9ff886026ff85ea2d3063ff8d887fa70281b2aa5a80bbb6", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([action, schema]) => `${action}: [${Object.keys(schema.shape).join(', ')}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|53edef7d19dfaef7e9ff886026ff85ea2d3063ff8d887fa70281b2aa5a80bbb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/dtos/editing.dto.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 63638, "scanner": "repobility-threat-engine", "fingerprint": "8e999b4706ca3cbaeaccb5d6008659a1666e0380909008bc12a75562b7ca7e13", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((permission) => `\"${permission}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e999b4706ca3cbaeaccb5d6008659a1666e0380909008bc12a75562b7ca7e13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED038", "level": "error", "message": {"text": "[MINED038] Swift Try Bang: try! crashes on thrown error. Use try? or do/catch."}, "properties": {"repobilityId": 63637, "scanner": "repobility-threat-engine", "fingerprint": "a7fc53005a48e17de7d57c50d8c8abd5b97abd44eb53ba9885960643871bc611", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-try-bang", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347986+00:00", "triaged_in_corpus": 15, "observations_count": 2002, "ai_coder_pattern_id": 158}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7fc53005a48e17de7d57c50d8c8abd5b97abd44eb53ba9885960643871bc611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Core/URLSessionManager.swift"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 63635, "scanner": "repobility-threat-engine", "fingerprint": "a30ee29e459faaa4999e9eae31f43b99b72cf2fb72dc39cd6c7ceaf8bdde0219", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a30ee29e459faaa4999e9eae31f43b99b72cf2fb72dc39cd6c7ceaf8bdde0219"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/WidgetExtension/ImmichAPI.swift"}, "region": {"startLine": 309}}}]}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 63634, "scanner": "repobility-threat-engine", "fingerprint": "297fb309efac5619871dd92d99b6b3067f0debd83fc31644d57cdab19a720216", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|297fb309efac5619871dd92d99b6b3067f0debd83fc31644d57cdab19a720216"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Images/Thumbhash.swift"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 63633, "scanner": "repobility-threat-engine", "fingerprint": "7b08747e1586711c3d2ce0353d2f4efaa9304e9d9c5ae618eb4389b6f61ee543", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b08747e1586711c3d2ce0353d2f4efaa9304e9d9c5ae618eb4389b6f61ee543"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/ios/Runner/Core/URLSessionManager.swift"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED029", "level": "error", "message": {"text": "[MINED029] Kotlin Null Bang: x!! throws NullPointerException if x is null. Bypasses Kotlins null safety."}, "properties": {"repobilityId": 63629, "scanner": "repobility-threat-engine", "fingerprint": "a97989e86299cbccfe39f7d5c06cb74ea860d5b6f8174a1a666ba179cac76a3b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "kotlin-null-bang", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["kotlin"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347966+00:00", "triaged_in_corpus": 15, "observations_count": 7344, "ai_coder_pattern_id": 155}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a97989e86299cbccfe39f7d5c06cb74ea860d5b6f8174a1a666ba179cac76a3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "mobile/android/app/src/main/kotlin/app/alextran/immich/background/BackgroundWorker.kt"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 63624, "scanner": "repobility-threat-engine", "fingerprint": "b57c1674b520ed6a26587881f87e42ac587f8e85929c357b3ac2b45f31fcc236", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "libann.destroy(self.ann)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b57c1674b520ed6a26587881f87e42ac587f8e85929c357b3ac2b45f31fcc236"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/sessions/ann/loader.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 63623, "scanner": "repobility-threat-engine", "fingerprint": "d322d4f70b96fd932b0f5c6d3c1888aa6712fce472182d1402fa3c30cc5044c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.ann.destroy()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d322d4f70b96fd932b0f5c6d3c1888aa6712fce472182d1402fa3c30cc5044c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/sessions/ann/__init__.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 63622, "scanner": "repobility-threat-engine", "fingerprint": "cadb65974707cd41584019b9b5ce1be1cc11eed5385ea776231212a668ffabda", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "onnx.save(updated_proto, model_path)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cadb65974707cd41584019b9b5ce1be1cc11eed5385ea776231212a668ffabda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/models/facial_recognition/recognition.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 63617, "scanner": "repobility-threat-engine", "fingerprint": "f232542e5892f9709731156feeb455277f782f874dd68ebc211a736eabb88684", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f232542e5892f9709731156feeb455277f782f874dd68ebc211a736eabb88684"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/__main__.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63598, "scanner": "repobility-threat-engine", "fingerprint": "11257383828ee240bf0a7be1bc9d1e9238c2d232fe20b89c39ea4bfdee8cb461", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(\n            F", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|11257383828ee240bf0a7be1bc9d1e9238c2d232fe20b89c39ea4bfdee8cb461"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/models/ocr/recognition.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63597, "scanner": "repobility-threat-engine", "fingerprint": "851f9200a41b67e7b8099133208212d132b112ca41456f7a19b50d48c89c79d3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(\n            F", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|851f9200a41b67e7b8099133208212d132b112ca41456f7a19b50d48c89c79d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "machine-learning/immich_ml/models/ocr/detection.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63596, "scanner": "repobility-threat-engine", "fingerprint": "63ac49442fe1327fb654e0bf2dd8bd80605405dacf607591a4ae577860aa0119", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|63ac49442fe1327fb654e0bf2dd8bd80605405dacf607591a4ae577860aa0119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/components/version-switcher.tsx"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63838, "scanner": "repobility-supply-chain", "fingerprint": "67822d8bce07956d25638b479323c9499b32d418d010041647218e2d1124968a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67822d8bce07956d25638b479323c9499b32d418d010041647218e2d1124968a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 589}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63837, "scanner": "repobility-supply-chain", "fingerprint": "8424cbea01d6118ccce690b0e3d321bba31dc11ece8d78b840a6864a79cd222c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8424cbea01d6118ccce690b0e3d321bba31dc11ece8d78b840a6864a79cd222c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 552}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63836, "scanner": "repobility-supply-chain", "fingerprint": "5dc5bb53aeb53a08ea774ffdd7b8b9287da20751fce7c96dbf02864c5a9ad1d4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5dc5bb53aeb53a08ea774ffdd7b8b9287da20751fce7c96dbf02864c5a9ad1d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 551}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63835, "scanner": "repobility-supply-chain", "fingerprint": "e076bed46868b7e2d98dbf47b424347b0c0166ec31db5433ad7ec2b800f07e3f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e076bed46868b7e2d98dbf47b424347b0c0166ec31db5433ad7ec2b800f07e3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 444}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63834, "scanner": "repobility-supply-chain", "fingerprint": "36883fc5493a613c8630be543ce4cb52ddbea50dcf02078dccf447408a6619bf", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36883fc5493a613c8630be543ce4cb52ddbea50dcf02078dccf447408a6619bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 443}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63833, "scanner": "repobility-supply-chain", "fingerprint": "d69464b0d77bcf970ef171678f2dd11577e4fa8e15a2661c74aacde631bf8b01", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d69464b0d77bcf970ef171678f2dd11577e4fa8e15a2661c74aacde631bf8b01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 367}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63832, "scanner": "repobility-supply-chain", "fingerprint": "0c9b231330c6984e03709c21bd4be55f7ff80f502db2452e124baf356ea84a13", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c9b231330c6984e03709c21bd4be55f7ff80f502db2452e124baf356ea84a13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 366}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63831, "scanner": "repobility-supply-chain", "fingerprint": "97c79f3d4a20cba0cf8347674a48ca41d52622421798a68d89ab564d69669311", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|97c79f3d4a20cba0cf8347674a48ca41d52622421798a68d89ab564d69669311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 331}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63830, "scanner": "repobility-supply-chain", "fingerprint": "4fad002cfcdeac6b46826917d6780ed07cfbd7bd083a169e3e4d7473ff09b5d5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fad002cfcdeac6b46826917d6780ed07cfbd7bd083a169e3e4d7473ff09b5d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63829, "scanner": "repobility-supply-chain", "fingerprint": "beea8f3dcb1ace863ed6555e0434df91268844a817c348c63e42d96444a75df6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|beea8f3dcb1ace863ed6555e0434df91268844a817c348c63e42d96444a75df6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63828, "scanner": "repobility-supply-chain", "fingerprint": "bf8d2344491510d52540e9f760c3c8f4a9c9b016b8a10bc11f2bcba9f8b482a1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf8d2344491510d52540e9f760c3c8f4a9c9b016b8a10bc11f2bcba9f8b482a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 298}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63827, "scanner": "repobility-supply-chain", "fingerprint": "819b1e313ff96e9b4f9010c835fdb3cc5b7516dc0bbad1eabb09b6e9fa5cde8b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|819b1e313ff96e9b4f9010c835fdb3cc5b7516dc0bbad1eabb09b6e9fa5cde8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63826, "scanner": "repobility-supply-chain", "fingerprint": "540a465d6572b706573b241d54df3aa62ee000d1e57da5a53ea2fe7ebf453d40", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|540a465d6572b706573b241d54df3aa62ee000d1e57da5a53ea2fe7ebf453d40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63825, "scanner": "repobility-supply-chain", "fingerprint": "cdc541b1d7bb7e19525b01c281df3df663632fc386b5267ef9684eb0184e6fa3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cdc541b1d7bb7e19525b01c281df3df663632fc386b5267ef9684eb0184e6fa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63824, "scanner": "repobility-supply-chain", "fingerprint": "4d0f4bb499c1cc8ac32b782af5accc754b251357f57a8ce421fba2d4947fac9e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d0f4bb499c1cc8ac32b782af5accc754b251357f57a8ce421fba2d4947fac9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63823, "scanner": "repobility-supply-chain", "fingerprint": "66362fc84255879b4a34b4c340f8e16ab2f225fbfd73c3ecf8fbfea6b651f071", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|66362fc84255879b4a34b4c340f8e16ab2f225fbfd73c3ecf8fbfea6b651f071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63822, "scanner": "repobility-supply-chain", "fingerprint": "3fc2debd5dfe458f281ee8b54adee8326eaec1a1c461644cd5f5264eb7a5392a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3fc2debd5dfe458f281ee8b54adee8326eaec1a1c461644cd5f5264eb7a5392a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63821, "scanner": "repobility-supply-chain", "fingerprint": "2c424ba14b5942d2ffa552e5831134333bada95158155bb57847954db29a0201", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c424ba14b5942d2ffa552e5831134333bada95158155bb57847954db29a0201"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63820, "scanner": "repobility-supply-chain", "fingerprint": "c88d420bfb76cd8697bd811430dc24128dfe3d7693c01ecb5e287dd502cd34c4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c88d420bfb76cd8697bd811430dc24128dfe3d7693c01ecb5e287dd502cd34c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63819, "scanner": "repobility-supply-chain", "fingerprint": "dea68f3717778b9cc32ddc9bb5f3d11c779c9e0ab3f275965e65d50e99db8deb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dea68f3717778b9cc32ddc9bb5f3d11c779c9e0ab3f275965e65d50e99db8deb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63818, "scanner": "repobility-supply-chain", "fingerprint": "3fd148d4bcd26ec87168f5d151db88366b7818d9d9099df4ad320d31293a059b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3fd148d4bcd26ec87168f5d151db88366b7818d9d9099df4ad320d31293a059b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63817, "scanner": "repobility-supply-chain", "fingerprint": "5ff77d4b1a52d44e2d1ee619c2fa12b718ab818de4835c04b07d7ddd6ba9fe10", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ff77d4b1a52d44e2d1ee619c2fa12b718ab818de4835c04b07d7ddd6ba9fe10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63816, "scanner": "repobility-supply-chain", "fingerprint": "34eda0463af49047af13066d9afc765c963b878c44f8c4a2b8a0f478ba7f4230", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34eda0463af49047af13066d9afc765c963b878c44f8c4a2b8a0f478ba7f4230"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63815, "scanner": "repobility-supply-chain", "fingerprint": "2753c42796200b10d857dcb5a942a4403f457b287ea6857eb2bba5aa47c8f568", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2753c42796200b10d857dcb5a942a4403f457b287ea6857eb2bba5aa47c8f568"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PUSH_O_MATIC_APP_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PUSH_O_MATIC_APP_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63814, "scanner": "repobility-supply-chain", "fingerprint": "3ae3cb7ce15258cf16333540428af7eb209bf7d53ac93e3f33d644dff34ef7ee", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ae3cb7ce15258cf16333540428af7eb209bf7d53ac93e3f33d644dff34ef7ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 22}}}]}]}]}