{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT008", "name": "Ollama audio payload path may mislead users about direct model audio", "shortDescription": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "fullDescription": {"text": "Gate direct audio sending on a verified runtime capability check. Until supported, show a one-time notice that voice is transcribed in the browser and only text is sent to the model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 6 more): Same pattern found in 6 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AGT002", "name": "LLM memory extraction can be prompt-injected into storing fake facts", "shortDescription": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "fullDescription": {"text": "Validate extracted facts with a schema, enforce length and count limits, reject code-fence/prompt-looking content, and discard facts that contain instruction-like phrases or raw JSON prompt fragments."}, "properties": {"scanner": "repobility-agent-runtime", "category": "llm_injection", "severity": "high", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.VERCEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, w", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.VERCEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VERCEL_TOKEN }` lets a PR from any fork exfiltrate the secret ("}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1353"}, "properties": {"repository": "elizaOS/eliza", "repoUrl": "https://github.com/elizaOS/eliza", "branch": "develop"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 137934, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 137930, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "NestJS", "Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 137929, "scanner": "repobility-agent-runtime", "fingerprint": "5254d4783b75f956dc192f46450a7213bf140e7144485360122edc0932448e45", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|5254d4783b75f956dc192f46450a7213bf140e7144485360122edc0932448e45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/benchmarks/openclaw-benchmark/nix_isolated_env/README.md"}, "region": {"startLine": 10}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 137928, "scanner": "repobility-agent-runtime", "fingerprint": "79dc611ca4dac6645a4ec462a7c5403ce5a9e08a922051b88820bc063d72d0ec", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|79dc611ca4dac6645a4ec462a7c5403ce5a9e08a922051b88820bc063d72d0ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/benchmarks/openclaw-benchmark/benchmark/README.md"}, "region": {"startLine": 9}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 137927, "scanner": "repobility-agent-runtime", "fingerprint": "bb256161447dd9a19f43f1729efb6344a231a13b84b740eb6e5d346884a6a5d3", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|bb256161447dd9a19f43f1729efb6344a231a13b84b740eb6e5d346884a6a5d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/benchmarks/openclaw-benchmark/.archived/opencode_setup/README.md"}, "region": {"startLine": 10}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 137926, "scanner": "repobility-agent-runtime", "fingerprint": "8aa4e506364ac642d396936ef155b6c6dd38fb948e9542fec1813804a677b2d1", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8aa4e506364ac642d396936ef155b6c6dd38fb948e9542fec1813804a677b2d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/benchmarks/loca-bench/README.md"}, "region": {"startLine": 51}}}]}, {"ruleId": "AGT008", "level": "warning", "message": {"text": "Ollama audio payload path may mislead users about direct model audio"}, "properties": {"repobilityId": 137924, "scanner": "repobility-agent-runtime", "fingerprint": "ed9759fe4a1d320d8425bdfdaafd0530d36da5390e68efcd7c78810a4dd1cdd8", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Ollama and an audios payload without an obvious capability check or browser-transcription disclosure.", "evidence": {"rule_id": "AGT008", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ed9759fe4a1d320d8425bdfdaafd0530d36da5390e68efcd7c78810a4dd1cdd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/config/zod-schema.core.ts"}, "region": {"startLine": 782}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 137923, "scanner": "repobility-agent-runtime", "fingerprint": "440d358f55354b818325c6fa8d35d2588b417cd9bb990fa47ff98a6a314c07ee", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|440d358f55354b818325c6fa8d35d2588b417cd9bb990fa47ff98a6a314c07ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-eliza-provisioning-worker.yml"}, "region": {"startLine": 221}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 137922, "scanner": "repobility-agent-runtime", "fingerprint": "e360640863fe786eda85cb438ca0e0b7c75ec77ce22548c5f0251e0addc0947e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e360640863fe786eda85cb438ca0e0b7c75ec77ce22548c5f0251e0addc0947e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-deploy-backend.yml"}, "region": {"startLine": 306}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 137908, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 137903, "scanner": "repobility-threat-engine", "fingerprint": "b8d84aeeee070137022a288cdca0884cf6080da027fae016cfdeb2314a7024fa", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b8d84aeeee070137022a288cdca0884cf6080da027fae016cfdeb2314a7024fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/auth/refresh-mutex.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 137894, "scanner": "repobility-threat-engine", "fingerprint": "fd584080d14c43d905c56842c36cda8590512b7735c572628db28571980ac25c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|50|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/ws-event-replay.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 137893, "scanner": "repobility-threat-engine", "fingerprint": "f1b0fd3f22be9f11bf89f75a82a9d7b338ea9825e8fe11867470b8366e9ee321", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|180|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/workbench-routes.ts"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 137892, "scanner": "repobility-threat-engine", "fingerprint": "384465f7df2b5ff95d7e243fb5ddffba6ad107f52b2b9240092527a7b717ba31", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|62|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/early-logs.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 137935, "scanner": "repobility-web-presence", "fingerprint": "99b10c0445d788995507a86a17a58bde81db8ff30d244f155fcbe3522ed748ba", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|99b10c0445d788995507a86a17a58bde81db8ff30d244f155fcbe3522ed748ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/hetzner-e2e.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 137933, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 137932, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 137931, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137921, "scanner": "repobility-ai-code-hygiene", "fingerprint": "670a1f182473de443ab5079ea693c8523255905766b1a7713f4c339698518e63", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/first-run-routes.ts", "duplicate_line": 338, "correlation_key": "fp|670a1f182473de443ab5079ea693c8523255905766b1a7713f4c339698518e63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/runtime/build-character-config.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137920, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8e0759f829984c6cc009c0e4a31aa0ab9a418ebd62a6791860d511f0cab3ba67", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/providers/admin-trust.ts", "duplicate_line": 21, "correlation_key": "fp|8e0759f829984c6cc009c0e4a31aa0ab9a418ebd62a6791860d511f0cab3ba67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/providers/role-backfill.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137919, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6e5b185c8fc543c3433909eb7bdaf6200ba687aa7a20d7414c48bed3f6ced46", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/providers/recent-conversations.ts", "duplicate_line": 35, "correlation_key": "fp|d6e5b185c8fc543c3433909eb7bdaf6200ba687aa7a20d7414c48bed3f6ced46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/providers/relevant-conversations.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137918, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ec216d76d6cd01f63caeefa492c3cbae64aa64c4b6f6b27dd34107b69904167", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/config/character-schema.ts", "duplicate_line": 2, "correlation_key": "fp|4ec216d76d6cd01f63caeefa492c3cbae64aa64c4b6f6b27dd34107b69904167"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/config/zod-schema.ts"}, "region": {"startLine": 234}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137917, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91ce25ef18628b0bced6437e545568c52073bdcb243854f2b7aa1e91281c5a21", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/model-provider-helpers.ts", "duplicate_line": 647, "correlation_key": "fp|91ce25ef18628b0bced6437e545568c52073bdcb243854f2b7aa1e91281c5a21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/wallet-rpc.ts"}, "region": {"startLine": 300}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137916, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8b68a0cff17171fa21907c29df222844e3db2f5f15f8c3a0d74d863fd3dda02b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/runtime-plugin-routes.ts", "duplicate_line": 56, "correlation_key": "fp|8b68a0cff17171fa21907c29df222844e3db2f5f15f8c3a0d74d863fd3dda02b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/server-lazy-routes.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137915, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ea155377a5d72c3f2d778a78321f0d7c2b8c1fe2b84baf541d77c60a1153727e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/dispatch-route.ts", "duplicate_line": 19, "correlation_key": "fp|ea155377a5d72c3f2d778a78321f0d7c2b8c1fe2b84baf541d77c60a1153727e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/server-lazy-routes.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137914, "scanner": "repobility-ai-code-hygiene", "fingerprint": "664c1d67fd5273f15e4065fbbee0297e7e17c216d535e17b4ab9ebe567a07e8d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/server-auth.ts", "duplicate_line": 501, "correlation_key": "fp|664c1d67fd5273f15e4065fbbee0297e7e17c216d535e17b4ab9ebe567a07e8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/server-helpers.ts"}, "region": {"startLine": 464}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137913, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b68d9739d1ae704ed2f62d82f2cbf8302799a622424b2cf84298025ef6c840df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/server-auth.ts", "duplicate_line": 321, "correlation_key": "fp|b68d9739d1ae704ed2f62d82f2cbf8302799a622424b2cf84298025ef6c840df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/server-helpers-wallet.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137912, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76f85f9e6f0fd02c8f76589e3e60b00dd3392313a6afe2a9fc75f09efea6d2c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/server-auth.ts", "duplicate_line": 289, "correlation_key": "fp|76f85f9e6f0fd02c8f76589e3e60b00dd3392313a6afe2a9fc75f09efea6d2c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/server-helpers-plugin.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137911, "scanner": "repobility-ai-code-hygiene", "fingerprint": "474d1dd55708b302f715bbd898df4acad20aa995807192d8bd58a6f9e86c23ff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/server-auth.ts", "duplicate_line": 476, "correlation_key": "fp|474d1dd55708b302f715bbd898df4acad20aa995807192d8bd58a6f9e86c23ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/server-helpers-config.ts"}, "region": {"startLine": 303}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137910, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be289a03605138f587d07b1d2d54ce0964e5906a81398a70ca807e94f8f70965", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/server-auth.ts", "duplicate_line": 17, "correlation_key": "fp|be289a03605138f587d07b1d2d54ce0964e5906a81398a70ca807e94f8f70965"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/server-helpers-auth.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 137909, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c2533db026b6b1675702f5402a2644d4a7499bada3d88b6530690875e1433c8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent/src/api/dispatch-route.ts", "duplicate_line": 20, "correlation_key": "fp|c2533db026b6b1675702f5402a2644d4a7499bada3d88b6530690875e1433c8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/runtime-plugin-routes.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 137907, "scanner": "repobility-threat-engine", "fingerprint": "e7c774a42898766779a40fb3d031f1f1e90cb1f43ef3eaa69c7cb3b75f41fb9f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7c774a42898766779a40fb3d031f1f1e90cb1f43ef3eaa69c7cb3b75f41fb9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/runtime/actions/web-fetch.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 137906, "scanner": "repobility-threat-engine", "fingerprint": "92f6217cf17b86c06dac40df6e6839c383f9aeda2543dcc298cda128f689b4d4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92f6217cf17b86c06dac40df6e6839c383f9aeda2543dcc298cda128f689b4d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/index.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 137905, "scanner": "repobility-threat-engine", "fingerprint": "1dfc40bb0b3ae1a508a3f6932d3ee0fdacb39bb2d5f5c51dd1076b673a0922c5", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|151|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/runtime/operations/manager.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 137904, "scanner": "repobility-threat-engine", "fingerprint": "a65a162500fb87575ba36946bbdc1a81b46b240334a2a1f64918e58b861614d2", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|96|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/cli/benchmark.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 137902, "scanner": "repobility-threat-engine", "fingerprint": "67b4855aaae28ecc24a44bf721fb924df60dcbe1ccdb3c4411b848a3575d4c03", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67b4855aaae28ecc24a44bf721fb924df60dcbe1ccdb3c4411b848a3575d4c03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/wallet-env-sync.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 137900, "scanner": "repobility-threat-engine", "fingerprint": "a7259922cd3410c02d1e98a43b67d2fad771fd6b4b691956d71b4aeae60e0ae3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7259922cd3410c02d1e98a43b67d2fad771fd6b4b691956d71b4aeae60e0ae3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/hono-mount.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 137899, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 137895, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 137891, "scanner": "repobility-threat-engine", "fingerprint": "a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 137887, "scanner": "repobility-threat-engine", "fingerprint": "a600c5f1b687e0363f6cd72bae70904050dbf8acc3244366b5b6101b65c34836", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a600c5f1b687e0363f6cd72bae70904050dbf8acc3244366b5b6101b65c34836"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 137883, "scanner": "repobility-threat-engine", "fingerprint": "8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "aggregated_count": 1}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 137882, "scanner": "repobility-threat-engine", "fingerprint": "c6d242014402e304c60828137d6be07d20305445d441539b694c576cba891e01", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c6d242014402e304c60828137d6be07d20305445d441539b694c576cba891e01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/cli/benchmark.ts"}, "region": {"startLine": 324}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 137881, "scanner": "repobility-threat-engine", "fingerprint": "2a0733b11eb60ae941426d1b024f57b4aecfbc1c11a28681f0e5d76d955a0e57", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a0733b11eb60ae941426d1b024f57b4aecfbc1c11a28681f0e5d76d955a0e57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/bin.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 137880, "scanner": "repobility-threat-engine", "fingerprint": "e3eff63002823b0ecc6ba11afa68fc025fb0d1682f4a806e38d0f06b05074932", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e3eff63002823b0ecc6ba11afa68fc025fb0d1682f4a806e38d0f06b05074932"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/scripts/tee-local-smoke.ts"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 137879, "scanner": "repobility-threat-engine", "fingerprint": "55eeb0a9a7194b21f6ca02ef7c193b2459911684409e0c708c006743b2248894", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|55eeb0a9a7194b21f6ca02ef7c193b2459911684409e0c708c006743b2248894", "aggregated_count": 16}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 137878, "scanner": "repobility-threat-engine", "fingerprint": "f1d78c016ca411ca96ac875bc596787ce21108a29812d12959d6477b6b4d7d4f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f1d78c016ca411ca96ac875bc596787ce21108a29812d12959d6477b6b4d7d4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/connector-routes.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 137877, "scanner": "repobility-threat-engine", "fingerprint": "6a98e6c8e6bebf38273e213cb43c05446f9699082effa72b4cbe53029b604120", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a98e6c8e6bebf38273e213cb43c05446f9699082effa72b4cbe53029b604120"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/actions/page-action-groups.ts"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 137876, "scanner": "repobility-threat-engine", "fingerprint": "ffd35c7823fd0ad398966ae847031ac66d455eba38f4aa9f18c715e2719a81f3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ffd35c7823fd0ad398966ae847031ac66d455eba38f4aa9f18c715e2719a81f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/scripts/live-sandbox-smoke.ts"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 137875, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "AGT002", "level": "error", "message": {"text": "LLM memory extraction can be prompt-injected into storing fake facts"}, "properties": {"repobilityId": 137925, "scanner": "repobility-agent-runtime", "fingerprint": "40acde8d544fa372d8fb554dba62c3176988a7c561c46c322695b683534f2552", "category": "llm_injection", "severity": "high", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File appears to persist LLM-extracted memory from user/assistant exchanges without visible schema validation or prompt-pattern rejection.", "evidence": {"rule_id": "AGT002", "scanner": "repobility-agent-runtime", "data_flow": "chat_exchange_to_persistent_memory", "references": ["https://owasp.org/www-project-top-10-for-large-language-model-applications/"], "correlation_key": "fp|40acde8d544fa372d8fb554dba62c3176988a7c561c46c322695b683534f2552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/runtime/conversation-compactor-runtime.ts"}, "region": {"startLine": 458}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 137901, "scanner": "repobility-threat-engine", "fingerprint": "c756870a5ad21062a6a9157a7897219302dc30f58859869ded4ff5dcef31843e", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.info(`[registry] Updating tokenURI for token ${tokenId}: ${newURI}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|21|logger.info registry updating tokenuri for token tokenid : newuri"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/registry-service.ts"}, "region": {"startLine": 212}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 137898, "scanner": "repobility-threat-engine", "fingerprint": "1656f6e5e752632b107c7e7b86e670ce1faacece5059b3a6c59eaf4d03776dac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(event", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1656f6e5e752632b107c7e7b86e670ce1faacece5059b3a6c59eaf4d03776dac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/ws-event-replay.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 137897, "scanner": "repobility-threat-engine", "fingerprint": "17a5526b09358252266f56f212cc007999c26b41c2351750d63127204288da36", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(\n    pathname", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17a5526b09358252266f56f212cc007999c26b41c2351750d63127204288da36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/workbench-routes.ts"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 137896, "scanner": "repobility-threat-engine", "fingerprint": "adb04cb113cf997a04519959da41da583f1c05f096817b35c47de2239c1fbd6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(msg", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|adb04cb113cf997a04519959da41da583f1c05f096817b35c47de2239c1fbd6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/early-logs.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137890, "scanner": "repobility-threat-engine", "fingerprint": "36b7662350d98b0ed9002c96ea00c95f82d6d574a9b339e32359d9a83161e7f4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|36b7662350d98b0ed9002c96ea00c95f82d6d574a9b339e32359d9a83161e7f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/tx-service.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137889, "scanner": "repobility-threat-engine", "fingerprint": "75cd62b163a82369fc835412c199079be77170e7c1e028ffeb0cfe128c89673f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75cd62b163a82369fc835412c199079be77170e7c1e028ffeb0cfe128c89673f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/hono-adapter.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 137888, "scanner": "repobility-threat-engine", "fingerprint": "585104981521f0130e9e53e8d60632604fa54cb101d0e576912feae030ac0c3a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|585104981521f0130e9e53e8d60632604fa54cb101d0e576912feae030ac0c3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/bug-report-routes.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 137886, "scanner": "repobility-threat-engine", "fingerprint": "708c161f6150f31c66b6cb232afce5fdd7c3784dd61e48501ae4d265b6099dca", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((m) => `${m.role === \"user\" ? \"User\" : \"Assistant\"}: ${m.content}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|708c161f6150f31c66b6cb232afce5fdd7c3784dd61e48501ae4d265b6099dca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/suggestions-routes.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 137885, "scanner": "repobility-threat-engine", "fingerprint": "be1e1f1f7b3f7e1ac9061936561d6a92bd043493bd81e017e18e2ddac3b1fcda", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((entry) => `- ${entry}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|be1e1f1f7b3f7e1ac9061936561d6a92bd043493bd81e017e18e2ddac3b1fcda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/actions/grounded-action-reply.ts"}, "region": {"startLine": 247}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 137884, "scanner": "repobility-threat-engine", "fingerprint": "c0b8c4b9a0108e8d57fa750e9d34b3ae0c0aafa7598e20718f25f084ede3a1af", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((context) => `${context}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c0b8c4b9a0108e8d57fa750e9d34b3ae0c0aafa7598e20718f25f084ede3a1af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/actions/context-signal.ts"}, "region": {"startLine": 186}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 137874, "scanner": "repobility-threat-engine", "fingerprint": "4c42d8e955749e4ffe9b8fde341afc548d73de0063ed2e96e4ae8381e3c86ca2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.map.delete(requestId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c42d8e955749e4ffe9b8fde341afc548d73de0063ed2e96e4ae8381e3c86ca2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/pending-request-map.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 137873, "scanner": "repobility-threat-engine", "fingerprint": "ce74c5c48e40b33ef24075de489e89ff0afa99f24c706df5991fc72441b3ad70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.statuses.delete(name);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce74c5c48e40b33ef24075de489e89ff0afa99f24c706df5991fc72441b3ad70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/src/api/connector-health.ts"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 137872, "scanner": "repobility-threat-engine", "fingerprint": "12e3a10a7bb58f75e09a5ca5b72d4c577dc3f107dba1ca932574f51e4df1ef60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.pending.delete(message.id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12e3a10a7bb58f75e09a5ca5b72d4c577dc3f107dba1ca932574f51e4df1ef60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent/scripts/live-sandbox-smoke.ts"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VERCEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VERCEL_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137960, "scanner": "repobility-supply-chain", "fingerprint": "f7c213fb489ac564d4437d02c00ab9049d8a5e99dd1a7cd2e08a74f78c2ba822", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f7c213fb489ac564d4437d02c00ab9049d8a5e99dd1a7cd2e08a74f78c2ba822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/feed-vercel-preview-manual.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VERCEL_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VERCEL_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137959, "scanner": "repobility-supply-chain", "fingerprint": "1cefc8a7bed083ec6d0da1946a5fae325bc37e047dff292698e648fd1f50faa3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1cefc8a7bed083ec6d0da1946a5fae325bc37e047dff292698e648fd1f50faa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/feed-vercel-preview-manual.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VERCEL_ORG_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VERCEL_ORG_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137958, "scanner": "repobility-supply-chain", "fingerprint": "824ad16bb6c7198e41309090a3b8d43112a811a591c8733ef4f498ef644df2c5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|824ad16bb6c7198e41309090a3b8d43112a811a591c8733ef4f498ef644df2c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/feed-vercel-preview-manual.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLAUDE_CODE_OAUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137957, "scanner": "repobility-supply-chain", "fingerprint": "1513a39b752d259155f6b8cbf8f5754c5d00a5a22085c68bde062d652f300228", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1513a39b752d259155f6b8cbf8f5754c5d00a5a22085c68bde062d652f300228"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137956, "scanner": "repobility-supply-chain", "fingerprint": "ebeb4bb3bb0b9b983b3512b813541bcfaaf7757d597097029de03b36e4f5b33b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ebeb4bb3bb0b9b983b3512b813541bcfaaf7757d597097029de03b36e4f5b33b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 288}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137955, "scanner": "repobility-supply-chain", "fingerprint": "ae9b0ef21f1fe5c71b84e02abcbc0ba24178572afee4bdfd1d8fefe5cf388648", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae9b0ef21f1fe5c71b84e02abcbc0ba24178572afee4bdfd1d8fefe5cf388648"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 287}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137954, "scanner": "repobility-supply-chain", "fingerprint": "8c2282fe8cc258082dda5794ee4f44eeb15cc47c434a8b6548d1bb02ea95110d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c2282fe8cc258082dda5794ee4f44eeb15cc47c434a8b6548d1bb02ea95110d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 265}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137953, "scanner": "repobility-supply-chain", "fingerprint": "c773fbd3f53a712f2ff8c9528af8ab93a69af48a4bda730669867e23d00ba1a3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c773fbd3f53a712f2ff8c9528af8ab93a69af48a4bda730669867e23d00ba1a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 264}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137952, "scanner": "repobility-supply-chain", "fingerprint": "e17e242d4e71efee779f1413f7db5d4823b22ae9b1e40c73bf0d1bf817eea52a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e17e242d4e71efee779f1413f7db5d4823b22ae9b1e40c73bf0d1bf817eea52a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137951, "scanner": "repobility-supply-chain", "fingerprint": "d52c4280c1cf425c8268d092f730ed4245d11976a7d1871c8fa8ec851147539b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d52c4280c1cf425c8268d092f730ed4245d11976a7d1871c8fa8ec851147539b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137950, "scanner": "repobility-supply-chain", "fingerprint": "ce8ce317ab5a403d67812fe12b2f0e7f25b36cc83ac16f06d2d66fdbdab630fd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce8ce317ab5a403d67812fe12b2f0e7f25b36cc83ac16f06d2d66fdbdab630fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137949, "scanner": "repobility-supply-chain", "fingerprint": "522e0c9cb229dbf86d63ae46ce2148c156a7f5cb678cf73786fbeb38b025252c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|522e0c9cb229dbf86d63ae46ce2148c156a7f5cb678cf73786fbeb38b025252c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VAST_BASE_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VAST_BASE_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137948, "scanner": "repobility-supply-chain", "fingerprint": "4c50d0720a129dd67726c306bceae1575dd05bd9eb262704b02e3f2c418d93ab", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c50d0720a129dd67726c306bceae1575dd05bd9eb262704b02e3f2c418d93ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.VAST_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.VAST_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137947, "scanner": "repobility-supply-chain", "fingerprint": "827c654aaa7d890dd638081cfa94e8d98d73a78579ded3d53252b047f528a1f4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|827c654aaa7d890dd638081cfa94e8d98d73a78579ded3d53252b047f528a1f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ELEVENLABS_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ELEVENLABS_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137946, "scanner": "repobility-supply-chain", "fingerprint": "510f20ee2b1222de65162af444dd349edce943d6d31735e834b12b040b9dd454", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|510f20ee2b1222de65162af444dd349edce943d6d31735e834b12b040b9dd454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FAL_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FAL_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137945, "scanner": "repobility-supply-chain", "fingerprint": "3749e38302b42c19d61646543db4794d0ff19cb2ae6b631fb7524e7734033afb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3749e38302b42c19d61646543db4794d0ff19cb2ae6b631fb7524e7734033afb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AI_GATEWAY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AI_GATEWAY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137944, "scanner": "repobility-supply-chain", "fingerprint": "48a327d83a59ba3622d52f11d8940333dcb2996e0dd6036b3057de61965a8a51", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48a327d83a59ba3622d52f11d8940333dcb2996e0dd6036b3057de61965a8a51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GROQ_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GROQ_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137943, "scanner": "repobility-supply-chain", "fingerprint": "0d43365570eec15b6a22f0ab9fd3fe47c21b4295f27d3be9d7d6696dbd65b65d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d43365570eec15b6a22f0ab9fd3fe47c21b4295f27d3be9d7d6696dbd65b65d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CEREBRAS_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CEREBRAS_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137942, "scanner": "repobility-supply-chain", "fingerprint": "26ab4ba17eaf4c91e59943af5aca127920b53277ffc94ae34c4d623852432303", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|26ab4ba17eaf4c91e59943af5aca127920b53277ffc94ae34c4d623852432303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137941, "scanner": "repobility-supply-chain", "fingerprint": "a73f6753c3de8e3ce00dec15c218fb5f363586c3beb9ef0f0df744f352aba85e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a73f6753c3de8e3ce00dec15c218fb5f363586c3beb9ef0f0df744f352aba85e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137940, "scanner": "repobility-supply-chain", "fingerprint": "75b3753a279015079f83b034eef3e0ce8c360ac52240c8a25014dcedd21b850d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75b3753a279015079f83b034eef3e0ce8c360ac52240c8a25014dcedd21b850d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BITROUTER_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BITROUTER_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137939, "scanner": "repobility-supply-chain", "fingerprint": "4fe6b074b5471fff63e1966ac878eb9eeb7f6e29bb37cd2e95063b4ea199b6b9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4fe6b074b5471fff63e1966ac878eb9eeb7f6e29bb37cd2e95063b4ea199b6b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_ACCOUNT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_ACCOUNT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137938, "scanner": "repobility-supply-chain", "fingerprint": "b01d2a282a6ac1b86f04b5e17bb7a6e6d54b917111987de6ada15cbda6a430fc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b01d2a282a6ac1b86f04b5e17bb7a6e6d54b917111987de6ada15cbda6a430fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CLOUDFLARE_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLOUDFLARE_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137937, "scanner": "repobility-supply-chain", "fingerprint": "5141a68f9e71006d2d8776c18f003c6b5c8e969cd90454f73e222cbeb12a8a40", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5141a68f9e71006d2d8776c18f003c6b5c8e969cd90454f73e222cbeb12a8a40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cloud-cf-deploy.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 137936, "scanner": "repobility-supply-chain", "fingerprint": "2d635245bdfef5bf17aeb4362934e2ef94e370c7147dcfc89c5e2015c0a4a9bf", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d635245bdfef5bf17aeb4362934e2ef94e370c7147dcfc89c5e2015c0a4a9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-security-review.yml"}, "region": {"startLine": 57}}}]}]}]}