{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /a"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 42.9% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 42.9% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR015", "name": "Docker build context is very large", "shortDescription": {"text": "Docker build context is very large"}, "fullDescription": {"text": "Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every :\n link\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 22 more): Same pattern found in 22 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 14 more): Same pattern found in 14 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 14 more): Same pattern found in 14 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n ALLOWED = {'images.example.com', 'cdn.example.com'}\n host = urlparse(url).hostname\n if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 73 more): Same pattern found in 73 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 73 more): Same pattern found in 73 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha> # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24-slim` not pinned by digest: `FROM node:24-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM node:24-slim@sha256:`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /api/archive_singleplayer_game has no auth: Express route POST /api/archive_singleplayer_game de", "shortDescription": {"text": "[MINED113] Express POST /api/archive_singleplayer_game has no auth: Express route POST /api/archive_singleplayer_game declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated r"}, "fullDescription": {"text": "Add an auth middleware: app.post('/api/archive_singleplayer_game', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /game/:id."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.", "shortDescription": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 / for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1281"}, "properties": {"repository": "openfrontio/OpenFrontIO", "repoUrl": "https://github.com/openfrontio/OpenFrontIO", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 130111, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 130110, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 130105, "scanner": "repobility-journey-contract", "fingerprint": "00765c15d277f18942cab38534149ac67add70ad7bf316ad61dd527109375328", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/cache/clear", "correlation_key": "fp|00765c15d277f18942cab38534149ac67add70ad7bf316ad61dd527109375328", "backend_endpoint_count": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/pathfinding/playground/server.ts"}, "region": {"startLine": 222}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 130104, "scanner": "repobility-journey-contract", "fingerprint": "5271e0dfc85d848121481b2c79b88ef858b622beb1b8eefd65e6fd3b5bf0922d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/spatial-query", "correlation_key": "fp|5271e0dfc85d848121481b2c79b88ef858b622beb1b8eefd65e6fd3b5bf0922d", "backend_endpoint_count": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/pathfinding/playground/server.ts"}, "region": {"startLine": 177}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 130103, "scanner": "repobility-journey-contract", "fingerprint": "1ad4f6c824b6cbc196d929a8353b86c722c3b10044ddfb65f5fee08afbf833af", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/pathfind", "correlation_key": "fp|1ad4f6c824b6cbc196d929a8353b86c722c3b10044ddfb65f5fee08afbf833af", "backend_endpoint_count": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/pathfinding/playground/server.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 130102, "scanner": "repobility-journey-contract", "fingerprint": "77c14e5ca41bd24a6e2734a16d9e1d8d974dc2159ddc4921ab19434896bee2df", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/maps/{param}/thumbnail", "correlation_key": "fp|77c14e5ca41bd24a6e2734a16d9e1d8d974dc2159ddc4921ab19434896bee2df", "backend_endpoint_count": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/pathfinding/playground/server.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 130101, "scanner": "repobility-journey-contract", "fingerprint": "f5a8dd5fd5579eccf7aba89f65040ce75c067e8f41207616dc8b3571e7c06749", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/maps/{param}", "correlation_key": "fp|f5a8dd5fd5579eccf7aba89f65040ce75c067e8f41207616dc8b3571e7c06749", "backend_endpoint_count": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/pathfinding/playground/server.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 130100, "scanner": "repobility-journey-contract", "fingerprint": "e157430da73009679dd2be7042835a8c1c3e0bd7776589f5d837292a40bcc9ce", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/maps", "correlation_key": "fp|e157430da73009679dd2be7042835a8c1c3e0bd7776589f5d837292a40bcc9ce", "backend_endpoint_count": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/pathfinding/playground/server.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 130099, "scanner": "repobility-journey-contract", "fingerprint": "db53a24856469049489e06135967a469fe0e11a1b056004f873362a8ba3a4343", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/pathfind", "correlation_key": "fp|db53a24856469049489e06135967a469fe0e11a1b056004f873362a8ba3a4343", "backend_endpoint_count": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/pathfinding/playground/public/client.js"}, "region": {"startLine": 1153}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 130098, "scanner": "repobility-journey-contract", "fingerprint": "3f9428dab327be3a1f78d75bc79af2df627aa7aea09afbc30a84e884cd56f2af", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/maps", "correlation_key": "fp|3f9428dab327be3a1f78d75bc79af2df627aa7aea09afbc30a84e884cd56f2af", "backend_endpoint_count": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/pathfinding/playground/public/client.js"}, "region": {"startLine": 942}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 130097, "scanner": "repobility-journey-contract", "fingerprint": "41ac07e3959f2358e8e08c1e88eb95fb8b61a5b2ef3609f3aa41cc99ac6e7027", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/spatial-query", "correlation_key": "fp|41ac07e3959f2358e8e08c1e88eb95fb8b61a5b2ef3609f3aa41cc99ac6e7027", "backend_endpoint_count": 7}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/pathfinding/playground/public/client.js"}, "region": {"startLine": 864}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/archive_singleplayer_game."}, "properties": {"repobilityId": 130095, "scanner": "repobility-access-control", "fingerprint": "cccf2081d784f6ebaaf76e186065041acf01bca5d9c804dbe9a575e76f4f279b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/archive_singleplayer_game", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|src/server/worker.ts|235|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/Worker.ts"}, "region": {"startLine": 235}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /api/create_game/:id."}, "properties": {"repobilityId": 130094, "scanner": "repobility-access-control", "fingerprint": "f27acd9db20dc940e51eadf56e2bba62d598dc4626c17b1cff7fff7d962cfd32", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/create_game/:id", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|src/server/worker.ts|142|auc009", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/server/Worker.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 42.9% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 130091, "scanner": "repobility-access-control", "fingerprint": "861c1b10dd6dee77b465b90c002825856f7d3ce86225b1f9a78674d9cee396c2", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 7, "correlation_key": "fp|861c1b10dd6dee77b465b90c002825856f7d3ce86225b1f9a78674d9cee396c2", "auth_visible_percent": 42.9}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 130090, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 130088, "scanner": "repobility-docker", "fingerprint": "0ea7d7c9d4bc5a7503034fd802ae3e30b884ddab879aa4969e30b4d689ea5916", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0ea7d7c9d4bc5a7503034fd802ae3e30b884ddab879aa4969e30b4d689ea5916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR015", "level": "warning", "message": {"text": "Docker build context is very large"}, "properties": {"repobilityId": 130086, "scanner": "repobility-docker", "fingerprint": "b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Estimated Docker build context exceeds Repobility's size or file-count threshold.", "evidence": {"capped": false, "rule_id": "DKR015", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "largest_paths": [{"path": "map-generator/assets/maps/southamerica/image.png", "size_mb": 15.9}, {"path": "map-generator/assets/maps/africa/image.png", "size_mb": 15.1}, {"path": "resources/maps/giantworldmap/map.bin", "size_mb": 7.6}, {"path": "resources/maps/hawaii/map.bin", "size_mb": 6.3}, {"path": "map-generator/assets/maps/mena/image.png", "size_mb": 6.1}], "included_files": 2226, "context_size_mb": 520.6, "correlation_key": "fp|b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 130085, "scanner": "repobility-agent-runtime", "fingerprint": "9392f2bb97a1c9e6ce3ca47aae16a78ff8f826aa71400651d906e3d6fde8bc74", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|9392f2bb97a1c9e6ce3ca47aae16a78ff8f826aa71400651d906e3d6fde8bc74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/components/IOSAddToHomeScreenBanner.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 130051, "scanner": "repobility-threat-engine", "fingerprint": "89d8286cb58cdfe74da5eee895186d8689b588ce319608fb4e33a88344d4c7b7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|89d8286cb58cdfe74da5eee895186d8689b588ce319608fb4e33a88344d4c7b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/components/NavNotificationsController.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 130050, "scanner": "repobility-threat-engine", "fingerprint": "9bdc5734bd26d82700698ba7e032554fa22b4b2f10ce8c40289f8e49130e77dc", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, \"_blank\", \"noopener,noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|34|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/components/SubscriptionPanel.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 130049, "scanner": "repobility-threat-engine", "fingerprint": "b93fc66cef8dbc7bc1cc7413ddc0991cd02a7cdf84f55d8bb72317bdd7fcd58e", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": " or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 130052, "scanner": "repobility-threat-engine", "fingerprint": "ff3bad4b9a817882c761f0e00861bae53866eb3f98ce74fdd8d0dc1fcb95cd1a", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `#define ${k} ${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff3bad4b9a817882c761f0e00861bae53866eb3f98ce74fdd8d0dc1fcb95cd1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/render/gl/utils/GlUtils.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 130045, "scanner": "repobility-threat-engine", "fingerprint": "07a84315717a9ea779f187cec612997ee5e2e5e3567276b51f30b2b9850f2f1a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.outgoingAttackTicks.delete(playerID);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|07a84315717a9ea779f187cec612997ee5e2e5e3567276b51f30b2b9850f2f1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/hud/layers/AlertFrame.ts"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 130044, "scanner": "repobility-threat-engine", "fingerprint": "e6f117abecbeda3970135f4716dcb2db382ebf9d3305a7719834cc6184d4ebba", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.alliancesCheckedAt.delete(allianceId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e6f117abecbeda3970135f4716dcb2db382ebf9d3305a7719834cc6184d4ebba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/hud/layers/ActionableEvents.ts"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 130043, "scanner": "repobility-threat-engine", "fingerprint": "4cb3fe30d46222ddd852a6ed65b8bea079b03e0e50a8e1538acd61ef6fc7572f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "params.delete(\"modal\");", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4cb3fe30d46222ddd852a6ed65b8bea079b03e0e50a8e1538acd61ef6fc7572f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/ModalRouter.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 130028, "scanner": "repobility-threat-engine", "fingerprint": "fefd00f6098e4726521d3290cc64874a1707824534c0745c2c1c81aa6854a7bd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fefd00f6098e4726521d3290cc64874a1707824534c0745c2c1c81aa6854a7bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/WebGLFrameBuilder.ts"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 130027, "scanner": "repobility-threat-engine", "fingerprint": "7b270450e8953d81c215a78e2d477dd3b5fe381f537f616d444f0e0db296fdd5", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7b270450e8953d81c215a78e2d477dd3b5fe381f537f616d444f0e0db296fdd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/FlagInput.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 130026, "scanner": "repobility-threat-engine", "fingerprint": "7bdb1c1050b2ba7996bf888b1a20d6040ce1d1444b522eff6ceac3886ede5642", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(w", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7bdb1c1050b2ba7996bf888b1a20d6040ce1d1444b522eff6ceac3886ede5642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/Api.ts"}, "region": {"startLine": 280}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 130020, "scanner": "repobility-threat-engine", "fingerprint": "87d4baf3981c846a75b7928806c1d09d9c4bc2353830627554fb6dae48b7a33a", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.Join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|map-generator/main.go|170|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "map-generator/main.go"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 130019, "scanner": "repobility-threat-engine", "fingerprint": "7429a06efef8076d2e3de890172b5aa6373ceaac1737defa10cca48923a3535f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7429a06efef8076d2e3de890172b5aa6373ceaac1737defa10cca48923a3535f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "map-generator/logger.go"}, "region": {"startLine": 174}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 130096, "scanner": "repobility-journey-contract", "fingerprint": "7b033014b6ae812ee90c5a9ce1809e9d4329057c11cc331ce4ffc5402df7361c", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/client/auth.ts|19|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/client/Auth.ts"}, "region": {"startLine": 19}}}]}]}]}