{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 51 more): Same pattern found in 51 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.CI_YAML` used but never assigned in __init__: Method `test_success_deps` of class `TestDependsOn` reads", "shortDescription": {"text": "[MINED108] `self.CI_YAML` used but never assigned in __init__: Method `test_success_deps` of class `TestDependsOn` reads `self.CI_YAML`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError th"}, "fullDescription": {"text": "Initialize `self.CI_YAML = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_success_deps: Test function `test_success_deps` runs code but contains no assert ", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_success_deps: Test function `test_success_deps` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CHERRY_PICK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_reques", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CHERRY_PICK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CHERRY_PICK_TOKEN }` lets a PR from any fork exfiltrate th"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/995"}, "properties": {"repository": "podman-container-tools/podman", "repoUrl": "https://github.com/podman-container-tools/podman", "branch": "main"}, "results": [{"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 93448, "scanner": "repobility-ai-code-hygiene", "fingerprint": "caf0dd415c6a31d98e76a895439cb374ecab75d393e25c9d3e0d1e9b0d43911d", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|caf0dd415c6a31d98e76a895439cb374ecab75d393e25c9d3e0d1e9b0d43911d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/auto-update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 93446, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 93445, "scanner": "repobility-threat-engine", "fingerprint": "ccd529915dc5bae069f44e18ca63baf022c4f174dd56b8dc08f1c3b15b2c2490", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(w, proc); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\treturn w.Flush()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ccd529915dc5bae069f44e18ca63baf022c4f174dd56b8dc08f1c3b15b2c2490"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/pods/top.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 93438, "scanner": "repobility-threat-engine", "fingerprint": "bf340635258cab00a415ae0dfa4377efaafd8b6a06939f37ba2bf933daca9562", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|128|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/exec.go"}, "region": {"startLine": 128}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93471, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d031e4f2e6881dc8793f494b73c646d03ffdf6d44d1580d0e31d488de0b0cf8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/unmount.go", "duplicate_line": 70, "correlation_key": "fp|2d031e4f2e6881dc8793f494b73c646d03ffdf6d44d1580d0e31d488de0b0cf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/volumes/unmount.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93470, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8a2ff057155e5ab9e636799a61bb8d64f3ba2eb7b8637249dc012e3e740c717", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/prune.go", "duplicate_line": 5, "correlation_key": "fp|c8a2ff057155e5ab9e636799a61bb8d64f3ba2eb7b8637249dc012e3e740c717"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/volumes/prune.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93469, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec3bae9ffdc354e10b936cbaff9f68ebd02c72406b81d539a305273f09dd4099", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/pods/kill.go", "duplicate_line": 1, "correlation_key": "fp|ec3bae9ffdc354e10b936cbaff9f68ebd02c72406b81d539a305273f09dd4099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/pods/unpause.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93468, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8c16fd772282fe63a065e88b451c797fa950d6294504f78a7308f38767702f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/pods/start.go", "duplicate_line": 1, "correlation_key": "fp|a8c16fd772282fe63a065e88b451c797fa950d6294504f78a7308f38767702f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/pods/stop.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93467, "scanner": "repobility-ai-code-hygiene", "fingerprint": "824c0c98a1164122c6e9d1325c46b0a795e713fec236145287fe794c747e6b96", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/kill.go", "duplicate_line": 2, "correlation_key": "fp|824c0c98a1164122c6e9d1325c46b0a795e713fec236145287fe794c747e6b96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/pods/rm.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93466, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc3069574e48636e4e9176a39e9f0cd262749467508ec8e2a64e48e16aa1180b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/pods/kill.go", "duplicate_line": 1, "correlation_key": "fp|bc3069574e48636e4e9176a39e9f0cd262749467508ec8e2a64e48e16aa1180b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/pods/restart.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93465, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dc88eb0a5f0292bab70968e78b868d8741a4aa12d01798c18f59bbb8c21213b2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/pods/kill.go", "duplicate_line": 1, "correlation_key": "fp|dc88eb0a5f0292bab70968e78b868d8741a4aa12d01798c18f59bbb8c21213b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/pods/pause.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93464, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9fb883ccb0e12a866d1f476439be6222943765b71ed20b9901c0186d89ef220", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/unmount.go", "duplicate_line": 70, "correlation_key": "fp|f9fb883ccb0e12a866d1f476439be6222943765b71ed20b9901c0186d89ef220"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/unmount.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93463, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b79bd5a354db93b97b6727e142244a1a78d06c04eb2974fc302cf9d87cf7eefb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/artifact/push.go", "duplicate_line": 4, "correlation_key": "fp|b79bd5a354db93b97b6727e142244a1a78d06c04eb2974fc302cf9d87cf7eefb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/push.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93462, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e0ff9729154b84946e451c64a11a1b78b382d1f420b6287654b34b9d07c5696", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/artifact/pull.go", "duplicate_line": 2, "correlation_key": "fp|2e0ff9729154b84946e451c64a11a1b78b382d1f420b6287654b34b9d07c5696"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/push.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93461, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68004d30f56f76add0a842392fabe3391928cc15699a3078b7cdbc6e971f3715", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/artifact/pull.go", "duplicate_line": 50, "correlation_key": "fp|68004d30f56f76add0a842392fabe3391928cc15699a3078b7cdbc6e971f3715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/pull.go"}, "region": {"startLine": 88}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93460, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2995eb1b29d62e64f0e8bf970995b42783b59e5404d4d3ae1d81d559d53a6a54", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/prune.go", "duplicate_line": 5, "correlation_key": "fp|2995eb1b29d62e64f0e8bf970995b42783b59e5404d4d3ae1d81d559d53a6a54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/prune.go"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93459, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe258fada92efedc308270109fce88e3bd6ea7501206e7163b3e9ee8e9647411", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/mount.go", "duplicate_line": 119, "correlation_key": "fp|fe258fada92efedc308270109fce88e3bd6ea7501206e7163b3e9ee8e9647411"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/mount.go"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93458, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b6d0fbdd2cdae17dec4acac385d92f61456d258f855e56a0cbe4fc580f42fc4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/kill.go", "duplicate_line": 95, "correlation_key": "fp|5b6d0fbdd2cdae17dec4acac385d92f61456d258f855e56a0cbe4fc580f42fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/unpause.go"}, "region": {"startLine": 93}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93457, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb28ab7672e872848313237fc0655f343f4df5390747e222862924043c1e251d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/pause.go", "duplicate_line": 1, "correlation_key": "fp|cb28ab7672e872848313237fc0655f343f4df5390747e222862924043c1e251d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/unpause.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93456, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4a55f3bf8756b07288ab8834bbc1c3889dd5c8689fde251ff5f4c656c538d28", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/init.go", "duplicate_line": 1, "correlation_key": "fp|f4a55f3bf8756b07288ab8834bbc1c3889dd5c8689fde251ff5f4c656c538d28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/unmount.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93455, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42bc9068df4b776c5f1b0bb48e24db5ae6076f700d5578b6d3fcc1afb36b0d82", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/rm.go", "duplicate_line": 100, "correlation_key": "fp|42bc9068df4b776c5f1b0bb48e24db5ae6076f700d5578b6d3fcc1afb36b0d82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/stop.go"}, "region": {"startLine": 101}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93454, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b230b82ab9fa6dddacb08a8a9195b27e0ba486358147fb1c21d4e3e8be6ac297", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/pause.go", "duplicate_line": 4, "correlation_key": "fp|b230b82ab9fa6dddacb08a8a9195b27e0ba486358147fb1c21d4e3e8be6ac297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/stop.go"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93453, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4e35f2d09df2339248179e081e592bd0997c6e4aee58897f126521b1e0161b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/kill.go", "duplicate_line": 1, "correlation_key": "fp|e4e35f2d09df2339248179e081e592bd0997c6e4aee58897f126521b1e0161b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/stop.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93452, "scanner": "repobility-ai-code-hygiene", "fingerprint": "68e3b829fe220cec958e2c1c8e942cfeb9296957a2d57e1154d2e5807db586eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/kill.go", "duplicate_line": 95, "correlation_key": "fp|68e3b829fe220cec958e2c1c8e942cfeb9296957a2d57e1154d2e5807db586eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/restart.go"}, "region": {"startLine": 102}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93451, "scanner": "repobility-ai-code-hygiene", "fingerprint": "738026860748f1108ff51e37bf581385a8952637ccf0d5b1f2574a02c1c9375d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/pause.go", "duplicate_line": 1, "correlation_key": "fp|738026860748f1108ff51e37bf581385a8952637ccf0d5b1f2574a02c1c9375d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/restart.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93450, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a3871dca86fb125a6b8ee738a03f0b42fc0c42e6f8e9e848d59a316d48ea2420", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/containers/kill.go", "duplicate_line": 95, "correlation_key": "fp|a3871dca86fb125a6b8ee738a03f0b42fc0c42e6f8e9e848d59a316d48ea2420"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/pause.go"}, "region": {"startLine": 95}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93449, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1b57713666ca86a66a43c222586ef664b4426c6230abf12cf1ec186bc7cb544", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/podman/artifact/pull.go", "duplicate_line": 1, "correlation_key": "fp|a1b57713666ca86a66a43c222586ef664b4426c6230abf12cf1ec186bc7cb544"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/artifact/push.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 93447, "scanner": "repobility-ai-code-hygiene", "fingerprint": "35440bf2b14809432d720ec259a11b42efff26eaa3d3b1c9bc6c3b2d2cf5d2e2", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|35440bf2b14809432d720ec259a11b42efff26eaa3d3b1c9bc6c3b2d2cf5d2e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/auto-update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 93444, "scanner": "repobility-threat-engine", "fingerprint": "7baba155165b1a0c6da02e41972c640fcac42439abb68275a67bc285e7c7aa76", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"apply --\"+annotationFlagName+\" values to the image index itself\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7baba155165b1a0c6da02e41972c640fcac42439abb68275a67bc285e7c7aa76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/manifest/annotate.go"}, "region": {"startLine": 56}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 93443, "scanner": "repobility-threat-engine", "fingerprint": "9b32e5760dc33fdab975665a471ea57adfaecb7b5961ef969f62d54e937c4b03", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"{{range . }}\" + row + \"\\n{{end -}}\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9b32e5760dc33fdab975665a471ea57adfaecb7b5961ef969f62d54e937c4b03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/search.go"}, "region": {"startLine": 199}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 93427, "scanner": "repobility-threat-engine", "fingerprint": "a29f194ccad49c0a02ef6c7b5a7166c1aa15ad587e6c22617c13fa9725b32245", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = extractCmd.RegisterFlagCompletionFunc(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a29f194ccad49c0a02ef6c7b5a7166c1aa15ad587e6c22617c13fa9725b32245"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/artifact/extract.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 93426, "scanner": "repobility-threat-engine", "fingerprint": "f3ef66b6f3faf37dced7df61ee3ca4f5982bb02f1629a0f909b97a070f680bcf", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = addCmd.RegisterFlagCompletionFunc(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f3ef66b6f3faf37dced7df61ee3ca4f5982bb02f1629a0f909b97a070f680bcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/artifact/add.go"}, "region": {"startLine": 45}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 93425, "scanner": "repobility-threat-engine", "fingerprint": "6110df1912f7d0ac75893d37a8406f9615fbb12eba277045dc5c781dfc12ccab", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = io.Copy(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6110df1912f7d0ac75893d37a8406f9615fbb12eba277045dc5c781dfc12ccab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman-mac-helper/main.go"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 51 more): Same pattern found in 51 additional files. Review if needed."}, "properties": {"repobilityId": 93436, "scanner": "repobility-threat-engine", "fingerprint": "a3b134301f5a7530a97eed2e010c6951192a3c32fd2bcc7e7c4c78771b0592b7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 51 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a3b134301f5a7530a97eed2e010c6951192a3c32fd2bcc7e7c4c78771b0592b7", "aggregated_count": 51}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 93435, "scanner": "repobility-threat-engine", "fingerprint": "e1b7f9ea1a5eef0c34b5821ec9e59f424dc9d415b5ca7622ac6e03d3902915e8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e1b7f9ea1a5eef0c34b5821ec9e59f424dc9d415b5ca7622ac6e03d3902915e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/commit.go"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 93434, "scanner": "repobility-threat-engine", "fingerprint": "9410d46db790ed9ccf819357213715955b59373a8554cdd4141b8591ca8748bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9410d46db790ed9ccf819357213715955b59373a8554cdd4141b8591ca8748bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/checkpoint.go"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 93433, "scanner": "repobility-threat-engine", "fingerprint": "204cce3679b7c9659824996841ff4fd75ee84d773af3ce32a1dfecfd6bc89e40", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|204cce3679b7c9659824996841ff4fd75ee84d773af3ce32a1dfecfd6bc89e40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman-testing/main.go"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 93432, "scanner": "repobility-threat-engine", "fingerprint": "8f1fa769b3579a7ecc2409e0b1cb6081f6c86e7fa2df76427646ad8b5b9240d3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8f1fa769b3579a7ecc2409e0b1cb6081f6c86e7fa2df76427646ad8b5b9240d3", "aggregated_count": 9}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 117 more): Same pattern found in 117 additional files. Review if needed."}, "properties": {"repobilityId": 93428, "scanner": "repobility-threat-engine", "fingerprint": "0562609587cadc762b47f3d5745ff48c695569f25e9ca865aa421c517654e52b", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 117 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 117 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0562609587cadc762b47f3d5745ff48c695569f25e9ca865aa421c517654e52b"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 93422, "scanner": "repobility-threat-engine", "fingerprint": "4605722e25a8e9c30136a50733a80e2d7e80310cdc2bf10c5b0c14f7302b823e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4605722e25a8e9c30136a50733a80e2d7e80310cdc2bf10c5b0c14f7302b823e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/trust_set.go"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 93421, "scanner": "repobility-threat-engine", "fingerprint": "3450efd512de1cf06bd50aead80d2a2eb40cf5e1945a3ff19f0f2b66a8ad8da3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3450efd512de1cf06bd50aead80d2a2eb40cf5e1945a3ff19f0f2b66a8ad8da3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/load.go"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 93420, "scanner": "repobility-threat-engine", "fingerprint": "5d0ffb459c152a0166310882ea23a51c07cc83c08e31f4309215ee461c8ca46a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d0ffb459c152a0166310882ea23a51c07cc83c08e31f4309215ee461c8ca46a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman-mac-helper/install.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.CI_YAML` used but never assigned in __init__: Method `test_success_deps` of class `TestDependsOn` reads `self.CI_YAML`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 93476, "scanner": "repobility-ast-engine", "fingerprint": "2dc890f12d223d732beedaa5505606c1c0dc1787f7d3831d400f5524a1d0b43e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2dc890f12d223d732beedaa5505606c1c0dc1787f7d3831d400f5524a1d0b43e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/ci/ci_yaml_test.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertCountEqual` used but never assigned in __init__: Method `test_success_deps` of class `TestDependsOn` reads `self.assertCountEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 93475, "scanner": "repobility-ast-engine", "fingerprint": "8299a840dda61c0fd41d7d16b873360eaacf2fd8c175dc237b1803d1931e3370", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8299a840dda61c0fd41d7d16b873360eaacf2fd8c175dc237b1803d1931e3370"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/ci/ci_yaml_test.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.CI_YAML` used but never assigned in __init__: Method `setUp` of class `TestDependsOn` reads `self.CI_YAML`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 93474, "scanner": "repobility-ast-engine", "fingerprint": "f3e4335dcdfe735d4a57c59dabc8e1716263a125422b06642a17ad9aa619e9e8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f3e4335dcdfe735d4a57c59dabc8e1716263a125422b06642a17ad9aa619e9e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/ci/ci_yaml_test.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_success_deps: Test function `test_success_deps` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 93473, "scanner": "repobility-ast-engine", "fingerprint": "d7b9dc0d409783363707bca058d1b0c779dbcaa7cd44c30ed214cefa8e7aaf59", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7b9dc0d409783363707bca058d1b0c779dbcaa7cd44c30ed214cefa8e7aaf59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hack/ci/ci_yaml_test.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.state` used but never assigned in __init__: Method `run` of class `APIVersionsDirective` reads `self.state`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 93472, "scanner": "repobility-ast-engine", "fingerprint": "cd63ad9d0811f4140679cc0e0d6110c9d6a91b4739f16c324c565fd9849d45fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd63ad9d0811f4140679cc0e0d6110c9d6a91b4739f16c324c565fd9849d45fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/source/conf.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93442, "scanner": "repobility-threat-engine", "fingerprint": "d4c4afbd2bfacc6abd2016c5817012fa886e58d5cb86fe15ba32cb946c2694b6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d4c4afbd2bfacc6abd2016c5817012fa886e58d5cb86fe15ba32cb946c2694b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/parse/net.go"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93441, "scanner": "repobility-threat-engine", "fingerprint": "4513a5a8c7d9592680021eb0d43ff6c22dbb817d7247286c088e9b99111c79ee", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4513a5a8c7d9592680021eb0d43ff6c22dbb817d7247286c088e9b99111c79ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/load.go"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93440, "scanner": "repobility-threat-engine", "fingerprint": "8cb972cd01503a73eb891040d1b93294004013f9622a9129bae0975cde57e719", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8cb972cd01503a73eb891040d1b93294004013f9622a9129bae0975cde57e719"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/images/import.go"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 93439, "scanner": "repobility-threat-engine", "fingerprint": "4132b272e1ac8c587ad7eab221509b1005fb50852e8ef9a12cda7d0fbd82a3a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4132b272e1ac8c587ad7eab221509b1005fb50852e8ef9a12cda7d0fbd82a3a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/containers/exec.go"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 93431, "scanner": "repobility-threat-engine", "fingerprint": "6006909e327d48960abffb860105e9d62d97f2a89da0bcf3d0ce458f777c7ca4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6006909e327d48960abffb860105e9d62d97f2a89da0bcf3d0ce458f777c7ca4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/artifact/pull.go"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 93430, "scanner": "repobility-threat-engine", "fingerprint": "b500ef16e59357e983993ed80dc70eaf25bc72cd6a43eaeb329a2fcb1e8753a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b500ef16e59357e983993ed80dc70eaf25bc72cd6a43eaeb329a2fcb1e8753a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman-testing/store_supported.go"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 93429, "scanner": "repobility-threat-engine", "fingerprint": "8d1a05c599b4ad7ff847aa97a8ee7a3c8c74d7d67696ef633c13dbaaf6ffb184", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d1a05c599b4ad7ff847aa97a8ee7a3c8c74d7d67696ef633c13dbaaf6ffb184"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman-mac-helper/service.go"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 93424, "scanner": "repobility-threat-engine", "fingerprint": "fd0e782d777104f32dab2e656319fbbeef13b4e8307b6589225f65368f158fe8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(provider,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fd0e782d777104f32dab2e656319fbbeef13b4e8307b6589225f65368f158fe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/compose.go"}, "region": {"startLine": 209}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 93423, "scanner": "repobility-threat-engine", "fingerprint": "f4f8c438b6a47a904e8f7b1f4918d4c0891aef5f1bc22a0e6168a83c944012f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(name,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f4f8c438b6a47a904e8f7b1f4918d4c0891aef5f1bc22a0e6168a83c944012f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman-mac-helper/main.go"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CHERRY_PICK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CHERRY_PICK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93478, "scanner": "repobility-supply-chain", "fingerprint": "895b96acac833b26c6bd373f5ba6f804314cbbc434a7589090feee55ceb95993", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|895b96acac833b26c6bd373f5ba6f804314cbbc434a7589090feee55ceb95993"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cherry-pick.yml"}, "region": {"startLine": 311}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CHERRY_PICK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CHERRY_PICK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93477, "scanner": "repobility-supply-chain", "fingerprint": "db94ccfcc0f8b852f3dc45644f2a738d336defab1b9f13e05091506da40191d9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db94ccfcc0f8b852f3dc45644f2a738d336defab1b9f13e05091506da40191d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cherry-pick.yml"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 93437, "scanner": "repobility-threat-engine", "fingerprint": "58baa0f95a12bde278bb57afcff1b480cf38ffade695ad912c394a214e917516", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58baa0f95a12bde278bb57afcff1b480cf38ffade695ad912c394a214e917516"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/podman/auto-update.go"}, "region": {"startLine": 118}}}]}]}]}