{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `wow-actions/use-app-token` pinned to mutable ref `@v2`", "shortDescription": {"text": "Action `wow-actions/use-app-token` pinned to mutable ref `@v2`"}, "fullDescription": {"text": "`uses: wow-actions/use-app-token@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/196"}, "properties": {"repository": "bubkoo/html-to-image", "repoUrl": "https://github.com/bubkoo/html-to-image", "branch": "master"}, "results": [{"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50450, "scanner": "repobility-threat-engine", "fingerprint": "199113ee8fc77a83d195ca285955d9e1c8028e7e542f94fe99c0080531e83747", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/mimes.ts|18|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mimes.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50449, "scanner": "repobility-threat-engine", "fingerprint": "adb78f467f67b5006a7452dd23eb04f5b2faa266b763401ae98bc4000427d198", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/embed-webfonts.ts|69|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/embed-webfonts.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50448, "scanner": "repobility-threat-engine", "fingerprint": "c2b0bfb3803d5a14518c848c09983c46b1b74f2ee43cc04d4d169a5dd9771513", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|src/embed-resources.ts|60|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/embed-resources.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 5974, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 5976, "scanner": "repobility-web-presence", "fingerprint": "4043225faa3d194ec7d83eb6b506a77044cc47247819125860baa12b890ba86d", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|4043225faa3d194ec7d83eb6b506a77044cc47247819125860baa12b890ba86d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pnpm-lock.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 5975, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 5972, "scanner": "repobility-threat-engine", "fingerprint": "dd0c7511cc867f93266732ead01a5ff3d658483f57926aafe5cafa22677a9b20", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = n", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|src/clone-node.ts|168|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/clone-node.ts"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50447, "scanner": "repobility-threat-engine", "fingerprint": "b66cef8ad8218b53ffb792b09ac8ed28d2e850ea878a726d4becfb364ecc0023", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b66cef8ad8218b53ffb792b09ac8ed28d2e850ea878a726d4becfb364ecc0023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/embed-images.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50446, "scanner": "repobility-threat-engine", "fingerprint": "56e9157949a7aa7cfb4de917aeb216106ea61e7849c2891f7497f65a38ecd31f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56e9157949a7aa7cfb4de917aeb216106ea61e7849c2891f7497f65a38ecd31f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/embed-webfonts.ts"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50445, "scanner": "repobility-threat-engine", "fingerprint": "874ef44053a51d0c6da47757b906b66a3e26c247f498995018f0daf2acf04681", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|874ef44053a51d0c6da47757b906b66a3e26c247f498995018f0daf2acf04681"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dataurl.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50444, "scanner": "repobility-threat-engine", "fingerprint": "152ed9d21e12546045c0c379b712af8340f0106b92d64c1c7f43524b572830ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|152ed9d21e12546045c0c379b712af8340f0106b92d64c1c7f43524b572830ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/embed-images.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50443, "scanner": "repobility-threat-engine", "fingerprint": "49e7b67d9544bcc75dd20fc5339bf8f2550657d82ddb84563b43f6e29d119cc8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|49e7b67d9544bcc75dd20fc5339bf8f2550657d82ddb84563b43f6e29d119cc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/clone-node.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50442, "scanner": "repobility-threat-engine", "fingerprint": "98fde733b49b05b01d131682ae97a642d4cb225627a0b43ce68ee68b4a125a22", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98fde733b49b05b01d131682ae97a642d4cb225627a0b43ce68ee68b4a125a22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/util.ts"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50441, "scanner": "repobility-threat-engine", "fingerprint": "fbd387cad5dccef100260a2dfa44e5298c809fb4262b641fe6625545907ca8b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fbd387cad5dccef100260a2dfa44e5298c809fb4262b641fe6625545907ca8b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/clone-node.ts"}, "region": {"startLine": 229}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 50440, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 50436, "scanner": "repobility-threat-engine", "fingerprint": "5d27cb85d924de732838bc8fc75601779c7d2e330c65ccdff3c589108e57dd2c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d27cb85d924de732838bc8fc75601779c7d2e330c65ccdff3c589108e57dd2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/util.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 50435, "scanner": "repobility-threat-engine", "fingerprint": "bdeed4ef2abe276f9c6c7c675303e9f8838fd9f8ce68f14bbe59449b0619e942", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bdeed4ef2abe276f9c6c7c675303e9f8838fd9f8ce68f14bbe59449b0619e942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/apply-style.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 5973, "scanner": "repobility-threat-engine", "fingerprint": "2bad208d256c59ab49c3267bcfacff0422ddb0858718276185241d1c5a7f3f94", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|src/util.ts|43|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/util.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 50454, "scanner": "repobility-threat-engine", "fingerprint": "4a227d8afec096a1d1a924cf436e59aa41f3577a4a158d3f0bf7dd2848f2d3f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(combinedCSSRegex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a227d8afec096a1d1a924cf436e59aa41f3577a4a158d3f0bf7dd2848f2d3f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/embed-webfonts.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50453, "scanner": "repobility-threat-engine", "fingerprint": "179ff4d9ae95b7d20934171e833db67ed048823c5cbaf35c82a7c838386c1811", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|179ff4d9ae95b7d20934171e833db67ed048823c5cbaf35c82a7c838386c1811"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/mimes.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50452, "scanner": "repobility-threat-engine", "fingerprint": "d7d499a9b064c66ef059ecb6deee0be9ec52532ebc1db3c8465e290b1146c02c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(cssText", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d7d499a9b064c66ef059ecb6deee0be9ec52532ebc1db3c8465e290b1146c02c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/embed-webfonts.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50451, "scanner": "repobility-threat-engine", "fingerprint": "9a5e4eddda5247ae297d1c3930be890a6bfeba18253454a22aca650ceed5fa1e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(match", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a5e4eddda5247ae297d1c3930be890a6bfeba18253454a22aca650ceed5fa1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/embed-resources.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50439, "scanner": "repobility-threat-engine", "fingerprint": "fc2849cc0adcacb621c33e655132c9d8d9fd519472cd892076e8f80f101bad91", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc2849cc0adcacb621c33e655132c9d8d9fd519472cd892076e8f80f101bad91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/embed-images.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50438, "scanner": "repobility-threat-engine", "fingerprint": "dcb1f18705db85efd2d1e4ce931c8d59b678142a1b647742237311e7a9806376", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dcb1f18705db85efd2d1e4ce931c8d59b678142a1b647742237311e7a9806376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/dataurl.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50437, "scanner": "repobility-threat-engine", "fingerprint": "d1d1720062f4077149ab9ce72d47ed83de68212d1a7f41549f7d79905f7ea75a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1d1720062f4077149ab9ce72d47ed83de68212d1a7f41549f7d79905f7ea75a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/clone-node.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `wow-actions/use-app-token` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 50434, "scanner": "repobility-supply-chain", "fingerprint": "4c417e291b682e693f671ff5f44d249897e434011aa7ba4662082e3019a23723", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c417e291b682e693f671ff5f44d249897e434011aa7ba4662082e3019a23723"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 50433, "scanner": "repobility-supply-chain", "fingerprint": "4937ba03757c5c35136a38ae0144ce8135e84e7f960d8cee723c4e13d3417855", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4937ba03757c5c35136a38ae0144ce8135e84e7f960d8cee723c4e13d3417855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pnpm/action-setup` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 50432, "scanner": "repobility-supply-chain", "fingerprint": "657af6549fc22b906e5f1a0328e469892d9837c4cfc7b4fefd38b6995b62a08d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|657af6549fc22b906e5f1a0328e469892d9837c4cfc7b4fefd38b6995b62a08d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 50431, "scanner": "repobility-supply-chain", "fingerprint": "8e2e184c53e7cf77cf9ff4ac85147857327eb1f58510cb3b2026456cff9cb435", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e2e184c53e7cf77cf9ff4ac85147857327eb1f58510cb3b2026456cff9cb435"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 50430, "scanner": "repobility-supply-chain", "fingerprint": "4c125097882cad372b7b58fece03d81ace0525d14d664df722a1dd023cfb607a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4c125097882cad372b7b58fece03d81ace0525d14d664df722a1dd023cfb607a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/needs-more-info` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50429, "scanner": "repobility-supply-chain", "fingerprint": "45de51dd228551a3279be36f29b0873a29e8f96617ad54c230efe725ceaf0dba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45de51dd228551a3279be36f29b0873a29e8f96617ad54c230efe725ceaf0dba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/needs-more-info.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/use-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50428, "scanner": "repobility-supply-chain", "fingerprint": "2dadfd27e135107e606faa53ec92b56377e5c53d06e6c5d26c54624539dde243", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2dadfd27e135107e606faa53ec92b56377e5c53d06e6c5d26c54624539dde243"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/needs-more-info.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/contributors-list` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50427, "scanner": "repobility-supply-chain", "fingerprint": "0b446539836efdb3c62473119c96378d4f317dfdaab44645e494b992a50fbfc5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b446539836efdb3c62473119c96378d4f317dfdaab44645e494b992a50fbfc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-contributors.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/use-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50426, "scanner": "repobility-supply-chain", "fingerprint": "f689f1678775ab5a4e9d43e361710cbad029c2dcf312adcd8817afff60eaf571", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f689f1678775ab5a4e9d43e361710cbad029c2dcf312adcd8817afff60eaf571"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-contributors.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/update-authors` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50425, "scanner": "repobility-supply-chain", "fingerprint": "7ab977a0a085904afb0117cdf328e96bd781f7c2c4b03609831428ed3713d04c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ab977a0a085904afb0117cdf328e96bd781f7c2c4b03609831428ed3713d04c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-authors.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/use-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50424, "scanner": "repobility-supply-chain", "fingerprint": "84e2abed16f8a71ad07580f61475ec44a867c27820c5c042d10ad5ea37595121", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84e2abed16f8a71ad07580f61475ec44a867c27820c5c042d10ad5ea37595121"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-authors.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 50423, "scanner": "repobility-supply-chain", "fingerprint": "2daff9874fb62f3796d334be6329bc6695f531d989488cf7c2aa226f74f93758", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2daff9874fb62f3796d334be6329bc6695f531d989488cf7c2aa226f74f93758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-authors.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pascalgn/size-label-action` pinned to mutable ref `@v0.1.1`"}, "properties": {"repobilityId": 50422, "scanner": "repobility-supply-chain", "fingerprint": "40a9d9cd11dd2fa2704faa5b091a06164880f2a106d31d5dfcca00926f22fba8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40a9d9cd11dd2fa2704faa5b091a06164880f2a106d31d5dfcca00926f22fba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-label-patch-size.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/use-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50421, "scanner": "repobility-supply-chain", "fingerprint": "ca2c73c3c10efe2619bb00e8829a6d34bc54b89c1dd325ca54ca912a47dc690b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca2c73c3c10efe2619bb00e8829a6d34bc54b89c1dd325ca54ca912a47dc690b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-label-patch-size.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 50420, "scanner": "repobility-supply-chain", "fingerprint": "2bfb3fdc6c6bd1a214f25debeea909da9b60ee1f162cee0d0c3d67fc7b35e9fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2bfb3fdc6c6bd1a214f25debeea909da9b60ee1f162cee0d0c3d67fc7b35e9fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-label-patch-size.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Naturalclar/issue-action` pinned to mutable ref `@v2.0.1`"}, "properties": {"repobilityId": 50419, "scanner": "repobility-supply-chain", "fingerprint": "d6544a323650f3d8981a8c24a192c445ae2a288f0cb7104c6c793b9a7952ed07", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d6544a323650f3d8981a8c24a192c445ae2a288f0cb7104c6c793b9a7952ed07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-label-title-body.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/use-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50418, "scanner": "repobility-supply-chain", "fingerprint": "ea37a57cd5f35abc5379ea34f4812623dba65021be2038499f5ed94590d9472a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea37a57cd5f35abc5379ea34f4812623dba65021be2038499f5ed94590d9472a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-label-title-body.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/pr-triage` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50417, "scanner": "repobility-supply-chain", "fingerprint": "f59e3b122927cd463848d02e5f8728e34121b847b5b02600184846493932f1f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f59e3b122927cd463848d02e5f8728e34121b847b5b02600184846493932f1f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-label-status.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/use-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50416, "scanner": "repobility-supply-chain", "fingerprint": "872e3f1703f5da5414d431d8dd2219a261c394fcd57039994cf5ba2e19c2d9a8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|872e3f1703f5da5414d431d8dd2219a261c394fcd57039994cf5ba2e19c2d9a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-label-status.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/label-commands` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50415, "scanner": "repobility-supply-chain", "fingerprint": "d10ee50129ee0af292aaf46b68ddb30501c08dae7ff8d33a8016cffbcd2d9004", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d10ee50129ee0af292aaf46b68ddb30501c08dae7ff8d33a8016cffbcd2d9004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/label-commands.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `bubkoo/use-app-token` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 50414, "scanner": "repobility-supply-chain", "fingerprint": "417862a67f946b2a7b4894cc2f86f08f0f1adf425ab7b62217cb39e4276c3265", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|417862a67f946b2a7b4894cc2f86f08f0f1adf425ab7b62217cb39e4276c3265"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/label-commands.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/analyze` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 50413, "scanner": "repobility-supply-chain", "fingerprint": "71492988e55addcda4051b0a3b6eb37a583fce06c3ec7ffdfa3454b41c340348", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71492988e55addcda4051b0a3b6eb37a583fce06c3ec7ffdfa3454b41c340348"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/autobuild` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 50412, "scanner": "repobility-supply-chain", "fingerprint": "c103db729bdd554dea6adbcb31aa4d0acee03082f058c1825f574479a1d2e68b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c103db729bdd554dea6adbcb31aa4d0acee03082f058c1825f574479a1d2e68b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/init` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 50411, "scanner": "repobility-supply-chain", "fingerprint": "1acb6897728e4bed42a9f023565af082a95768ce3e2b5358f894a6270d7b5c0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1acb6897728e4bed42a9f023565af082a95768ce3e2b5358f894a6270d7b5c0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 50410, "scanner": "repobility-supply-chain", "fingerprint": "c74742090ee645fb533161059dac8bb948d31006835f07f4fab60c50c654fb0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c74742090ee645fb533161059dac8bb948d31006835f07f4fab60c50c654fb0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 27}}}]}]}]}