{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "A file created as a fixed/new/final/copy variant is not referenced by imports or path-like strings in the rest of the repository. This is a strong sign that an agent produced code beside the active application path."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/368"}, "properties": {"repository": "gsd-build/get-shit-done", "repoUrl": "https://github.com/gsd-build/get-shit-done.git", "branch": "main"}, "results": [{"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 11949, "scanner": "repobility-threat-engine", "fingerprint": "df7f0e18b1ea4147cb2abe11d48b3e15acfe0b543fb4dbf169db4ea8b25c82e7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|df7f0e18b1ea4147cb2abe11d48b3e15acfe0b543fb4dbf169db4ea8b25c82e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hooks/gsd-check-update-worker.js"}, "region": {"startLine": 43}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 11948, "scanner": "repobility-threat-engine", "fingerprint": "a6cf86d4eafe42dfc4718ae34140e706dcd13496f6aa667cd4273a679c8bcf59", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6cf86d4eafe42dfc4718ae34140e706dcd13496f6aa667cd4273a679c8bcf59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hooks/gsd-statusline.js"}, "region": {"startLine": 380}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 11947, "scanner": "repobility-agent-runtime", "fingerprint": "291edb62c12eec30a77c6187124323e6ef6da3a4bc082ef48d183985c9bcfc01", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|291edb62c12eec30a77c6187124323e6ef6da3a4bc082ef48d183985c9bcfc01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 140}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11946, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eeff3f4503fbab2fc24570bd8997222a376eeaa5eb0e0376018e22ee2e924e59", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "sdk/src/query/phase-list-queries.ts", "duplicate_line": 10, "correlation_key": "fp|eeff3f4503fbab2fc24570bd8997222a376eeaa5eb0e0376018e22ee2e924e59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/src/query/requirements-extract-from-plans.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11945, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1154485bb10b919c26846a8010df16df470d942c71becc91029189f8a044258", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "sdk/src/query/profile-extract-messages.ts", "duplicate_line": 100, "correlation_key": "fp|a1154485bb10b919c26846a8010df16df470d942c71becc91029189f8a044258"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/src/query/profile-sample.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11944, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f01f1e62a12ab0dd8ca85b42283ded01865611aac7b215259f17e11ce5a4d26e", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "sdk/src/query/frontmatter-mutation.ts", "duplicate_line": 112, "correlation_key": "fp|f01f1e62a12ab0dd8ca85b42283ded01865611aac7b215259f17e11ce5a4d26e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/src/query/frontmatter.ts"}, "region": {"startLine": 192}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11943, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7cc6e143d8513ea751bfeb7946e70dc5a2f94ec5c3dcb24048ee31f9d4e29c70", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "sdk/src/plan-parser.ts", "duplicate_line": 15, "correlation_key": "fp|7cc6e143d8513ea751bfeb7946e70dc5a2f94ec5c3dcb24048ee31f9d4e29c70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/src/query/frontmatter.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11942, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7106004c5b1d85cfdb31053effa1cce78dac7ba403eda26b665c218e6bd7ba66", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hooks/gsd-prompt-guard.js", "duplicate_line": 19, "correlation_key": "fp|7106004c5b1d85cfdb31053effa1cce78dac7ba403eda26b665c218e6bd7ba66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hooks/gsd-workflow-guard.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11941, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d042771e1977b2c916c16603009a78187e0d81c2377ed93bc49d228c60d641b4", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hooks/gsd-read-guard.js", "duplicate_line": 1, "correlation_key": "fp|d042771e1977b2c916c16603009a78187e0d81c2377ed93bc49d228c60d641b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hooks/gsd-workflow-guard.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11940, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d7f343eebaf6c0534741c0dca05e0c066d4110d7db1b07ec0ae55184af739bb", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hooks/gsd-prompt-guard.js", "duplicate_line": 3, "correlation_key": "fp|8d7f343eebaf6c0534741c0dca05e0c066d4110d7db1b07ec0ae55184af739bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hooks/gsd-read-injection-scanner.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 11939, "scanner": "repobility-ai-code-hygiene", "fingerprint": "31259af2409baf5b42419cd5ddf5f5a17e48722a33427c1205cd142a66f5d74c", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hooks/gsd-prompt-guard.js", "duplicate_line": 19, "correlation_key": "fp|31259af2409baf5b42419cd5ddf5f5a17e48722a33427c1205cd142a66f5d74c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hooks/gsd-read-guard.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 11938, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e2ed63971dbd6a65cd6af76e4c48eb9885afd4334b6d844b85b56f5a5bf0f06", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|0e2ed63971dbd6a65cd6af76e4c48eb9885afd4334b6d844b85b56f5a5bf0f06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hooks/gsd-check-update.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 11937, "scanner": "repobility-ai-code-hygiene", "fingerprint": "420850ae3282a153eede4274fa0b9dd5fd57140a098703e1f4eb4fd99c6f20f6", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|420850ae3282a153eede4274fa0b9dd5fd57140a098703e1f4eb4fd99c6f20f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hooks/gsd-check-update.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 11950, "scanner": "repobility-threat-engine", "fingerprint": "5a59c543c4482c4522b0a8406ab6f47f2d55ada60c610d3384275b1e01433fd8", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|169|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/src/query/state-mutation.ts"}, "region": {"startLine": 169}}}]}]}]}