{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 33 more): Same pattern found in 33 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 40 more): Same pattern found in 40 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "[MINED125] GHA script injection via github.event.pull_request.body in run-step: Multi-line `run: |` block interpolates $", "shortDescription": {"text": "[MINED125] GHA script injection via github.event.pull_request.body in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.body }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "fullDescription": {"text": "Capture the field into an env var first; reference $ENV_VAR in shell."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, whi", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.REPO_TOKEN }` lets a PR from any fork exfiltrate the secret (modi"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/906"}, "properties": {"repository": "FuelLabs/fuel-core", "repoUrl": "https://github.com/FuelLabs/fuel-core", "branch": "master"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 84758, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Axum"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 84739, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 84759, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Axum"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84757, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36cd9b5a1445d9188987ec4153454c8d46de28e163390b456d5fcb60a9db7e96", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/graphql_api/storage.rs", "duplicate_line": 78, "correlation_key": "fp|36cd9b5a1445d9188987ec4153454c8d46de28e163390b456d5fcb60a9db7e96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/services/block_aggregator_api/src/db/table.rs"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84756, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0edb8588272c7c1b1c90270f14edb0f4383b851bb3bdcb8d15af64300e8a38a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/services/block_aggregator_api/src/db/storage_db.rs", "duplicate_line": 107, "correlation_key": "fp|0edb8588272c7c1b1c90270f14edb0f4383b851bb3bdcb8d15af64300e8a38a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/services/block_aggregator_api/src/db/storage_or_remote_db.rs"}, "region": {"startLine": 110}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84755, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25cdd721c07462220df564e05883ae1b06e1fabb3bc2c4fe5d6a25ee53f3aee1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/state/iterable_key_value_view.rs", "duplicate_line": 40, "correlation_key": "fp|25cdd721c07462220df564e05883ae1b06e1fabb3bc2c4fe5d6a25ee53f3aee1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/state/key_value_view.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84754, "scanner": "repobility-ai-code-hygiene", "fingerprint": "582766515337ff9cd668c07c4c1c88e3cb39ee1b285cca0b2142a2c22a1a2479", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/state/in_memory/memory_store.rs", "duplicate_line": 164, "correlation_key": "fp|582766515337ff9cd668c07c4c1c88e3cb39ee1b285cca0b2142a2c22a1a2479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/state/in_memory/memory_view.rs"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84753, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0b24d1b6db8eec6d528ca74a9e3402321236ae3b0af66fbd952548d42ded277", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/service/genesis/importer.rs", "duplicate_line": 13, "correlation_key": "fp|b0b24d1b6db8eec6d528ca74a9e3402321236ae3b0af66fbd952548d42ded277"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/service/genesis/importer/off_chain.rs"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84752, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2408ddecd6794024b826a3db67937327bac817bb0b327c77e8e5903697bfea96", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/chain-config/src/config/state.rs", "duplicate_line": 16, "correlation_key": "fp|2408ddecd6794024b826a3db67937327bac817bb0b327c77e8e5903697bfea96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/service/genesis/importer.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84751, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d68127fdbcb744e72e498d797d96952985af030ba66c5a1a35ea2a8606dc28e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/service/genesis/exporter.rs", "duplicate_line": 36, "correlation_key": "fp|d68127fdbcb744e72e498d797d96952985af030ba66c5a1a35ea2a8606dc28e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/service/genesis/importer.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "749958114b876f4438a2206711b06e8946f909fd5944bcbaee3f4138450959c6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/chain-config/src/config/state.rs", "duplicate_line": 16, "correlation_key": "fp|749958114b876f4438a2206711b06e8946f909fd5944bcbaee3f4138450959c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/service/genesis/exporter.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84749, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34e0d38dddd882b9e95a8360acb80485c5fef6409dfce5743d81dcbb6b2a4841", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/service/adapters/tx_status_manager.rs", "duplicate_line": 30, "correlation_key": "fp|34e0d38dddd882b9e95a8360acb80485c5fef6409dfce5743d81dcbb6b2a4841"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/service/adapters/txpool.rs"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84748, "scanner": "repobility-ai-code-hygiene", "fingerprint": "94f26e9b9fa9ae237be000f35f735267652301cf1a65a5c9f99fe532cc4bd252", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/graphql_api/database.rs", "duplicate_line": 49, "correlation_key": "fp|94f26e9b9fa9ae237be000f35f735267652301cf1a65a5c9f99fe532cc4bd252"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/service/adapters/graphql_api/off_chain.rs"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84747, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a04db13b278c3f66604cd02b7c31e1d9c597ebe21103ca33bd7f53630d640ea9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/client/src/client/schema/tx/transparent_receipt.rs", "duplicate_line": 50, "correlation_key": "fp|a04db13b278c3f66604cd02b7c31e1d9c597ebe21103ca33bd7f53630d640ea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/schema/tx/receipt.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84746, "scanner": "repobility-ai-code-hygiene", "fingerprint": "245e254a05dd653a24287b2d01431f217cc623ecc53eb2733268c8a7b87c145c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/schema/scalars/message_id.rs", "duplicate_line": 1, "correlation_key": "fp|245e254a05dd653a24287b2d01431f217cc623ecc53eb2733268c8a7b87c145c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/schema/scalars/utxo_id.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84745, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbf2e49626983bf978f3cd0e047c82914b2035a4d4fbddbaccee6a13e06cc7ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/schema/scalars/message_id.rs", "duplicate_line": 1, "correlation_key": "fp|fbf2e49626983bf978f3cd0e047c82914b2035a4d4fbddbaccee6a13e06cc7ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/schema/scalars/tx_pointer.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84744, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cfc6a64656b55e688101afc40193e014acb1e219c2608c7b761bfb0f3c2d1a1b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/schema/coins.rs", "duplicate_line": 92, "correlation_key": "fp|cfc6a64656b55e688101afc40193e014acb1e219c2608c7b761bfb0f3c2d1a1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/schema/message.rs"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84743, "scanner": "repobility-ai-code-hygiene", "fingerprint": "988daa04b9ccc447b0be70ed1642afdcd69ce3a49b054010c13de7495664caeb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/fuel-core/src/graphql_api/database.rs", "duplicate_line": 37, "correlation_key": "fp|988daa04b9ccc447b0be70ed1642afdcd69ce3a49b054010c13de7495664caeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/graphql_api/ports.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84742, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dcb57b6da8a1ed06bf72f1a06b4bc1433119a4bed89602a2a6e4d69cf28dd7fd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/compression/src/compressed_block_payload/v0.rs", "duplicate_line": 5, "correlation_key": "fp|dcb57b6da8a1ed06bf72f1a06b4bc1433119a4bed89602a2a6e4d69cf28dd7fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/compression/src/lib.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84741, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c3b9fe133e9a6a1af04cf51a291f36e87c1c68b876941f39fe35c690ff25d75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/compression/src/compressed_block_payload/v0.rs", "duplicate_line": 1, "correlation_key": "fp|1c3b9fe133e9a6a1af04cf51a291f36e87c1c68b876941f39fe35c690ff25d75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/compression/src/compressed_block_payload/v1.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 84740, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a1a43a936428c107e4a296de58e215424cd4c62602dd01a6a6105188e6033ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/client/src/client/schema/tx.rs", "duplicate_line": 65, "correlation_key": "fp|1a1a43a936428c107e4a296de58e215424cd4c62602dd01a6a6105188e6033ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/client/src/client/schema/tx/transparent_tx.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 84735, "scanner": "repobility-threat-engine", "fingerprint": "74c9849cdbf460eb3f9748b947ae57846853f9fd2e92c86007b8fc2d82cf086b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|74c9849cdbf460eb3f9748b947ae57846853f9fd2e92c86007b8fc2d82cf086b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benches/src/utils.rs"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 84734, "scanner": "repobility-threat-engine", "fingerprint": "9a22336672f8eb2fb76d4ab7671c851ff41a605bfb058736772199ac2ea0f56e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9a22336672f8eb2fb76d4ab7671c851ff41a605bfb058736772199ac2ea0f56e", "aggregated_count": 3}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 84733, "scanner": "repobility-threat-engine", "fingerprint": "3555a84df9beb1950c071bb72d369c702d623234825f3f4b4d67b79cf7c3b0d3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3555a84df9beb1950c071bb72d369c702d623234825f3f4b4d67b79cf7c3b0d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/query/message/test.rs"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 84732, "scanner": "repobility-threat-engine", "fingerprint": "a5aa2c3e7436bb31efabc4906d40f0fda99aae91a41a8e4517052f6ca0a01a85", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5aa2c3e7436bb31efabc4906d40f0fda99aae91a41a8e4517052f6ca0a01a85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/compression/src/lib.rs"}, "region": {"startLine": 313}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 84731, "scanner": "repobility-threat-engine", "fingerprint": "d05625032178481bc55cffe50e9c83271b616f0e51565ba3a4440348006ffb45", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d05625032178481bc55cffe50e9c83271b616f0e51565ba3a4440348006ffb45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benches/src/utils.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 84730, "scanner": "repobility-threat-engine", "fingerprint": "eecb4c189aac4f2b45d0c4ae58099637cc98b83100443b55234065d3c87b6342", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eecb4c189aac4f2b45d0c4ae58099637cc98b83100443b55234065d3c87b6342", "aggregated_count": 33}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 84729, "scanner": "repobility-threat-engine", "fingerprint": "3c8b379ec9a0df11fb3d7cc924762f5a2a563a811cb8ed8b2bf7ac6705967db0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c8b379ec9a0df11fb3d7cc924762f5a2a563a811cb8ed8b2bf7ac6705967db0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benches/benches/vm.rs"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 84728, "scanner": "repobility-threat-engine", "fingerprint": "da0b562b71534a1575d23c7289ff5ea586fdb58c861a8b96185745ab840586f6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da0b562b71534a1575d23c7289ff5ea586fdb58c861a8b96185745ab840586f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benches/benches/utils.rs"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 84727, "scanner": "repobility-threat-engine", "fingerprint": "f814a817ea3673c82ca416e3a428156c8db47bd97effd1d084c5339d24dba14d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f814a817ea3673c82ca416e3a428156c8db47bd97effd1d084c5339d24dba14d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benches/benches/block_target_gas_set/crypto.rs"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 84726, "scanner": "repobility-threat-engine", "fingerprint": "d763668abc362df74774cf593c0f9d21665702c0fed325ee2273fa158a56dc95", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d763668abc362df74774cf593c0f9d21665702c0fed325ee2273fa158a56dc95", "aggregated_count": 40}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84785, "scanner": "repobility-supply-chain", "fingerprint": "e2fbbeec8bd993d1ba2d3ac4556cba112de28f064b31de4f0ddbcc49de051cce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2fbbeec8bd993d1ba2d3ac4556cba112de28f064b31de4f0ddbcc49de051cce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84784, "scanner": "repobility-supply-chain", "fingerprint": "6908a8aa9c8ca2b9a4a7462a657fa5baa03764336333a1f8c2d7585a9aba636d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6908a8aa9c8ca2b9a4a7462a657fa5baa03764336333a1f8c2d7585a9aba636d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@master`: `uses: dtolnay/rust-toolchain@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84783, "scanner": "repobility-supply-chain", "fingerprint": "24a4a79af19cd0d739464f2cf2c10e18c909de408ebf3cc77043a31be9112284", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24a4a79af19cd0d739464f2cf2c10e18c909de408ebf3cc77043a31be9112284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84782, "scanner": "repobility-supply-chain", "fingerprint": "8d8d68826c53377796d1902bec9456419366e04a48809a8cdade7a7494d831d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d8d68826c53377796d1902bec9456419366e04a48809a8cdade7a7494d831d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@master`: `uses: dtolnay/rust-toolchain@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84781, "scanner": "repobility-supply-chain", "fingerprint": "8921cfac32216da20a2aea43cb0788c4c162e9bdf061fa5226f6897327da4ad5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8921cfac32216da20a2aea43cb0788c4c162e9bdf061fa5226f6897327da4ad5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84780, "scanner": "repobility-supply-chain", "fingerprint": "ad6e1e095f8a54affa1c64b3430d4bfedad6234e8ccde789748b4fbb5c2f1e5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad6e1e095f8a54affa1c64b3430d4bfedad6234e8ccde789748b4fbb5c2f1e5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84779, "scanner": "repobility-supply-chain", "fingerprint": "af461014525974afc5efdcefaa94b08c472c902be726bb832f0153693897f944", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af461014525974afc5efdcefaa94b08c472c902be726bb832f0153693897f944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84777, "scanner": "repobility-supply-chain", "fingerprint": "b3a457f789836650721e41fb84df80d86f4f5792a760a9c2a358507a8040fcdf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b3a457f789836650721e41fb84df80d86f4f5792a760a9c2a358507a8040fcdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/delete-test-env.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `crate-ci/typos` pinned to mutable ref `@master`: `uses: crate-ci/typos@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84776, "scanner": "repobility-supply-chain", "fingerprint": "acef7badd2ef06f6854f4c171f71f6b988c66bac61d4d6056c6e9b8ed187b4b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acef7badd2ef06f6854f4c171f71f6b988c66bac61d4d6056c6e9b8ed187b4b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spellcheck.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84775, "scanner": "repobility-supply-chain", "fingerprint": "2e8f95bd2e086cd24d48a3e08fe77ed0188015b0427af1d9a56dc896ce32612e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e8f95bd2e086cd24d48a3e08fe77ed0188015b0427af1d9a56dc896ce32612e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spellcheck.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v6`: `uses: actions/download-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84774, "scanner": "repobility-supply-chain", "fingerprint": "327a1efac995f32af1abda7afe764fe70e78d6da23cfe9069e0477931d500bd0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|327a1efac995f32af1abda7afe764fe70e78d6da23cfe9069e0477931d500bd0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependencies.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v6`: `uses: actions/download-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84773, "scanner": "repobility-supply-chain", "fingerprint": "773f1d3a593670d3f00ddbc8fdba6354a9c4448a89957557b6f5d8d741e9fe71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|773f1d3a593670d3f00ddbc8fdba6354a9c4448a89957557b6f5d8d741e9fe71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependencies.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84772, "scanner": "repobility-supply-chain", "fingerprint": "299ddcad163c4e499829f758c62c5062525005868d9e72002e4dbd44b9aeabfa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|299ddcad163c4e499829f758c62c5062525005868d9e72002e4dbd44b9aeabfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependencies.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84771, "scanner": "repobility-supply-chain", "fingerprint": "cd71cf4bd2e15b735da78e00d996734b194a11fa15f8e824c4a2d4ee60320453", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd71cf4bd2e15b735da78e00d996734b194a11fa15f8e824c4a2d4ee60320453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependencies.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84770, "scanner": "repobility-supply-chain", "fingerprint": "a0f6782ed29905330a22681dd672b491ae51cea67be51e9e2cc253d6476e8235", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0f6782ed29905330a22681dd672b491ae51cea67be51e9e2cc253d6476e8235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependencies.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@master`: `uses: dtolnay/rust-toolchain@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84769, "scanner": "repobility-supply-chain", "fingerprint": "025780ffcf22d5102b02b724e9d59e0cc0a118edf8e4fb000128233fb14f4152", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|025780ffcf22d5102b02b724e9d59e0cc0a118edf8e4fb000128233fb14f4152"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependencies.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84768, "scanner": "repobility-supply-chain", "fingerprint": "359570411f08df0fdaf6da87ca2db1ec634abee892fc53f1fda1345344ace7f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|359570411f08df0fdaf6da87ca2db1ec634abee892fc53f1fda1345344ace7f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dependencies.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84767, "scanner": "repobility-supply-chain", "fingerprint": "a12b07a70f955fb1091baf38156515dcab465392aca53049534009f7108a0720", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a12b07a70f955fb1091baf38156515dcab465392aca53049534009f7108a0720"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/releasy-dependency-commits.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `taiki-e/install-action` pinned to mutable ref `@v2`: `uses: taiki-e/install-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84766, "scanner": "repobility-supply-chain", "fingerprint": "b0b68ec4fc030038f47e036e2e11357cb5a62a3b4dca638a5ed2c27b59563ceb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b0b68ec4fc030038f47e036e2e11357cb5a62a3b4dca638a5ed2c27b59563ceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly-cargo-audit.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84765, "scanner": "repobility-supply-chain", "fingerprint": "ae071158536c245a38c2f9434ed208eeddc12b68b172cf5f9f0a0a0a48b6a0f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae071158536c245a38c2f9434ed208eeddc12b68b172cf5f9f0a0a0a48b6a0f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly-cargo-audit.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84764, "scanner": "repobility-supply-chain", "fingerprint": "c9e8381d53c041be2e617f784b64e8567b35a41cc9083ca71e74070d9a9e2c89", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9e8381d53c041be2e617f784b64e8567b35a41cc9083ca71e74070d9a9e2c89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-test-beta4-dev.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84763, "scanner": "repobility-supply-chain", "fingerprint": "dd3469b9aa470eec8e341408d60bfe6500501262dcd2d3b14480d69ffe48e1a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd3469b9aa470eec8e341408d60bfe6500501262dcd2d3b14480d69ffe48e1a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/chaos-test.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84762, "scanner": "repobility-supply-chain", "fingerprint": "7e6038a0333b8af5aac79cbc4cd3b8316ce9850e49cc0e29422d1e5306d0712f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e6038a0333b8af5aac79cbc4cd3b8316ce9850e49cc0e29422d1e5306d0712f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/chaos-test.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84761, "scanner": "repobility-supply-chain", "fingerprint": "11c7da22c78896225bd6cf7350cedb20380af9b7002f01304eddc011fc125707", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11c7da22c78896225bd6cf7350cedb20380af9b7002f01304eddc011fc125707"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/chaos-test.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 84760, "scanner": "repobility-supply-chain", "fingerprint": "45d83d85b65f3943f03538fa0b0d8f8f509be05268b24f071c13f3b7df9827ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45d83d85b65f3943f03538fa0b0d8f8f509be05268b24f071c13f3b7df9827ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/chaos-test.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84738, "scanner": "repobility-threat-engine", "fingerprint": "d187d2c7f59dc9712fb6bc82c9c2f6c67cfde63e40074ce501c05791de08f723", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d187d2c7f59dc9712fb6bc82c9c2f6c67cfde63e40074ce501c05791de08f723"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/services/block_aggregator_api/src/db/storage_or_remote_db.rs"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 84737, "scanner": "repobility-threat-engine", "fingerprint": "f04b9258e90a5006c9e4f9b3ecfb4d60245ac50012877825186fc995cae47661", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f04b9258e90a5006c9e4f9b3ecfb4d60245ac50012877825186fc995cae47661"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/services/block_aggregator_api/src/db/remote_cache.rs"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 84736, "scanner": "repobility-threat-engine", "fingerprint": "9c0d32856c2d41a33a7ccfcfc63c57636fe326698a8edb28ea7c1408e43e9691", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c0d32856c2d41a33a7ccfcfc63c57636fe326698a8edb28ea7c1408e43e9691"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/fuel-core/src/state.rs"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 84725, "scanner": "repobility-threat-engine", "fingerprint": "2ac6c9831c5ce819c14c6edbcbcd5dd978b8898212f7af9bce131ff1ac42b9bb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2ac6c9831c5ce819c14c6edbcbcd5dd978b8898212f7af9bce131ff1ac42b9bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benches/benches/db_lookup_times.rs"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 84724, "scanner": "repobility-threat-engine", "fingerprint": "0c67a115146ebe1ffd8f109457b42656fbc1cd2ac333158639865620df622ad1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0c67a115146ebe1ffd8f109457b42656fbc1cd2ac333158639865620df622ad1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benches/benches/block_target_gas_set/memory.rs"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 84723, "scanner": "repobility-threat-engine", "fingerprint": "d3c5e7917e4f7f987d4e47553912ce383ab70eb7f05ee82437b9cbc1c2466f5c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3c5e7917e4f7f987d4e47553912ce383ab70eb7f05ee82437b9cbc1c2466f5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benches/benches/block_target_gas_set/crypto.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.body in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.body }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 84789, "scanner": "repobility-supply-chain", "fingerprint": "02f1e62ce4bc2fef61957f626bf09b64f7934a652cf98698996a91de4569a94e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02f1e62ce4bc2fef61957f626bf09b64f7934a652cf98698996a91de4569a94e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/create_version.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.REPO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 84788, "scanner": "repobility-supply-chain", "fingerprint": "50b3bc1dab2ffec00e13e0f79dc866e4df43f0b95073addf529aa41d1aafe21a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50b3bc1dab2ffec00e13e0f79dc866e4df43f0b95073addf529aa41d1aafe21a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-test-env.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_IO_READ_ONLY_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_IO_READ_ONLY_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 84787, "scanner": "repobility-supply-chain", "fingerprint": "c23bf34003b3a11cbce41338418480cb9a30b87818f4d3d56a7f780026dc0b54", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c23bf34003b3a11cbce41338418480cb9a30b87818f4d3d56a7f780026dc0b54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 437}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CARGO_REGISTRY_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CARGO_REGISTRY_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 84786, "scanner": "repobility-supply-chain", "fingerprint": "2f7f8a0a05f5cdfb458b23af2b73f9bb9834edc06ed7f02135e4b8fb5f0f45f6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f7f8a0a05f5cdfb458b23af2b73f9bb9834edc06ed7f02135e4b8fb5f0f45f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 387}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.REPO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.REPO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 84778, "scanner": "repobility-supply-chain", "fingerprint": "5a8d0061ed4135e25b1f35b73e625a904aec2e6d20f989dfd77ca96c54278f80", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a8d0061ed4135e25b1f35b73e625a904aec2e6d20f989dfd77ca96c54278f80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/delete-test-env.yml"}, "region": {"startLine": 31}}}]}]}]}