{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 23 more): Same pattern found in 23 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 20 more): Same pattern found in 20 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 73 more): Same pattern found in 73 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 73 more): Same pattern found in 73 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 35 more): Same pattern found in 35 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 74 more): Same pattern found in 74 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 20 more): Same pattern found in 20 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `@google/gemini-cli-core` pulled from URL/Git: `dependencies.@google/gemini-cli-core` = `fil", "shortDescription": {"text": "[MINED122] package.json dep `@google/gemini-cli-core` pulled from URL/Git: `dependencies.@google/gemini-cli-core` = `file:../core` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or gi"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Produc"}, "fullDescription": {"text": "Replace with: `FROM debian:bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler cha", "shortDescription": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "fullDescription": {"text": "Add an auth middleware: app.post('/mcp', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.GEMINI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`,", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.GEMINI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GEMINI_API_KEY }` lets a PR from any fork exfiltrate the secr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/762"}, "properties": {"repository": "google-gemini/gemini-cli", "repoUrl": "https://github.com/google-gemini/gemini-cli", "branch": "main"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 63496, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 63494, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 63493, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 63489, "scanner": "repobility-docker", "fingerprint": "45f07b63673dcafe0ce9dd67dbc11e35ad31d2c803d69e07a37926b59369947b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|45f07b63673dcafe0ce9dd67dbc11e35ad31d2c803d69e07a37926b59369947b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gcp/Dockerfile.gemini-code-builder"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 63485, "scanner": "repobility-docker", "fingerprint": "8a7afc8dc5174d478b0730415f30529df13aa818e30eb9740a4aeb3c80436bcc", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 20 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 20, "correlation_key": "fp|8a7afc8dc5174d478b0730415f30529df13aa818e30eb9740a4aeb3c80436bcc", "dependency_install_line": 21}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gcp/Dockerfile.development"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 63484, "scanner": "repobility-docker", "fingerprint": "d04ee634895b8ded9edabf57f398692ae95c38b07190b1606a61ba38ca062144", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d04ee634895b8ded9edabf57f398692ae95c38b07190b1606a61ba38ca062144", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gcp/Dockerfile.development"}, "region": {"startLine": 20}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 63483, "scanner": "repobility-agent-runtime", "fingerprint": "107cf587dc277aec97256f5aafe114cf5dbc5935d849653a10a9af65463c174f", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|107cf587dc277aec97256f5aafe114cf5dbc5935d849653a10a9af65463c174f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/config/settingsSchema.ts"}, "region": {"startLine": 236}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 63482, "scanner": "repobility-agent-runtime", "fingerprint": "e08084726483dbbd830bc8377e9c669c91bb8f4ad7aee64612531ec20811a4b1", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e08084726483dbbd830bc8377e9c669c91bb8f4ad7aee64612531ec20811a4b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/config/config.ts"}, "region": {"startLine": 258}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 63481, "scanner": "repobility-agent-runtime", "fingerprint": "29340dd640290c5a5ff2db87133986806b89ea99757d68df3994fc4da96fd3fc", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|29340dd640290c5a5ff2db87133986806b89ea99757d68df3994fc4da96fd3fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/reference/configuration.md"}, "region": {"startLine": 128}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 63480, "scanner": "repobility-agent-runtime", "fingerprint": "f43a69adeca7f6a7c919c843a82627598adc0c2ae9b10d62e3f451b7b9f8fc96", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f43a69adeca7f6a7c919c843a82627598adc0c2ae9b10d62e3f451b7b9f8fc96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/cli/settings.md"}, "region": {"startLine": 30}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 63479, "scanner": "repobility-agent-runtime", "fingerprint": "a89dc008e4e2ca846ba969c64bc7a26418daf1f08d9fb0d6af66157fba2ab77a", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|a89dc008e4e2ca846ba969c64bc7a26418daf1f08d9fb0d6af66157fba2ab77a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/cli/cli-reference.md"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 63460, "scanner": "repobility-threat-engine", "fingerprint": "d5b11e32b3a5705bcd01c68f60a3467b62d7350efd7ad790673293a1e548b654", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n    `((?:--)?(\"|')?(${urlSafeKeyPatternStr})\\\\2\\\\s*(?:[:=]|%3A|%3D)\\\\s*)${valuePattern}`", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5b11e32b3a5705bcd01c68f60a3467b62d7350efd7ad790673293a1e548b654"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/agent-sanitization-utils.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 63459, "scanner": "repobility-threat-engine", "fingerprint": "b9089dc511637a5f00057451a0162a3e385ace215abcf0457da55cdc6eec183c", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern);\n  } catch {\n    return false;\n  }\n\n  // 2. Limit length to prevent extremely lo", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b9089dc511637a5f00057451a0162a3e385ace215abcf0457da55cdc6eec183c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/policy/utils.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 63450, "scanner": "repobility-threat-engine", "fingerprint": "7498cf649e0d2ec158e79e0f6de1f8a22e164793553094de37e58bb45c8fc670", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7498cf649e0d2ec158e79e0f6de1f8a22e164793553094de37e58bb45c8fc670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/utils/directoryUtils.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 63449, "scanner": "repobility-threat-engine", "fingerprint": "15e171a2d789de3c7c085c795bd0fd4e054aacfec892d4d057ac119090a437a0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|15e171a2d789de3c7c085c795bd0fd4e054aacfec892d4d057ac119090a437a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/hooks/useLogger.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 63448, "scanner": "repobility-threat-engine", "fingerprint": "cc640bd6d58b75158ceb8c4189702911feeb2cdf7e0eb7ad14d009df2e24f24a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc640bd6d58b75158ceb8c4189702911feeb2cdf7e0eb7ad14d009df2e24f24a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/components/Notifications.tsx"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63407, "scanner": "repobility-threat-engine", "fingerprint": "d120847d42ee2123ace78a911ec1418806690ba9f74c7f45a2b93efadffd94bb", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|245|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/services/McpPromptLoader.ts"}, "region": {"startLine": 245}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63406, "scanner": "repobility-threat-engine", "fingerprint": "33c483b8fc196ea60431f61f09f04610d08ca5a979d69bc401481dbe5b1b4bd0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "-exec (", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|32|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/acp/commands/about.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63405, "scanner": "repobility-threat-engine", "fingerprint": "9e31c61df8ac1d8e367e14443f0a2c2ebb98b2e269c308b64b671de6e320606d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|57|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/sync-maintainer-labels.cjs"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 63400, "scanner": "repobility-threat-engine", "fingerprint": "ba436018058c72b363c579194f6eda776b081a103122885a2e635040349129db", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n    return null;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ba436018058c72b363c579194f6eda776b081a103122885a2e635040349129db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gemini/skills/ci/scripts/ci.mjs"}, "region": {"startLine": 33}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 63495, "scanner": "repobility-web-presence", "fingerprint": "fca89e21045c206a68d37b6ff5e3c6dacdc23f21d16c8cf556fb9bb53b5c7a90", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|fca89e21045c206a68d37b6ff5e3c6dacdc23f21d16c8cf556fb9bb53b5c7a90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/cli/telemetry.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 63492, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 63491, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 63490, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 63488, "scanner": "repobility-docker", "fingerprint": "71d90950de18ae6db186be03ef05ffe27458da11c2b0b65f01743a5715657d67", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|71d90950de18ae6db186be03ef05ffe27458da11c2b0b65f01743a5715657d67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gcp/Dockerfile.gemini-code-builder"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 63487, "scanner": "repobility-docker", "fingerprint": "35eb3c1baeb62e93a96817461de368d12e73d47d6b5d910df3a6c671f8d284e0", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|35eb3c1baeb62e93a96817461de368d12e73d47d6b5d910df3a6c671f8d284e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gcp/Dockerfile.gemini-code-builder"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 63486, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63478, "scanner": "repobility-ai-code-hygiene", "fingerprint": "32688447ca1ab60148c9af908adbace0672267cf0e1bf128a1d718da700fe300", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/ui/components/messages/ShellToolMessage.tsx", "duplicate_line": 130, "correlation_key": "fp|32688447ca1ab60148c9af908adbace0672267cf0e1bf128a1d718da700fe300"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/components/messages/ToolMessage.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63477, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c00fa4eeb028fa330ca6bc27f9753a90cb0c0d2f609ed78dd09d8a6a90f90e37", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/ui/components/messages/GeminiMessage.tsx", "duplicate_line": 30, "correlation_key": "fp|c00fa4eeb028fa330ca6bc27f9753a90cb0c0d2f609ed78dd09d8a6a90f90e37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/components/messages/GeminiMessageContent.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63476, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf2639fd2c08cd0c9cb9338b497aa8fe0cfe6f1f4862685747f6654f0bd1808d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/ui/components/MultiFolderTrustDialog.tsx", "duplicate_line": 129, "correlation_key": "fp|cf2639fd2c08cd0c9cb9338b497aa8fe0cfe6f1f4862685747f6654f0bd1808d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/components/PolicyUpdateDialog.tsx"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63475, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90ab0213f455cd8d2c14306cd3f20516733aadb743e19f2f1dd2db147434d9fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/ui/components/EmptyWalletDialog.tsx", "duplicate_line": 29, "correlation_key": "fp|90ab0213f455cd8d2c14306cd3f20516733aadb743e19f2f1dd2db147434d9fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/components/OverageMenuDialog.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63474, "scanner": "repobility-ai-code-hygiene", "fingerprint": "998b0fc1f731b7114640c70b53bf613dc4d0e565fa863599993655d830ce45a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/ui/components/MultiFolderTrustDialog.tsx", "duplicate_line": 129, "correlation_key": "fp|998b0fc1f731b7114640c70b53bf613dc4d0e565fa863599993655d830ce45a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/components/NewAgentsNotification.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63473, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90002db64e25220b53ffec826021a6b61f73cb74e6392f8cfd4186c7ddfae90b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/ui/components/AnsiOutput.tsx", "duplicate_line": 46, "correlation_key": "fp|90002db64e25220b53ffec826021a6b61f73cb74e6392f8cfd4186c7ddfae90b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/components/BackgroundTaskDisplay.tsx"}, "region": {"startLine": 346}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63472, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0f3773166327e2b9bd6ba6573c2010a2d5500b2f05158a2534f1a580eeff00e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/nonInteractiveCli.ts", "duplicate_line": 60, "correlation_key": "fp|0f3773166327e2b9bd6ba6573c2010a2d5500b2f05158a2534f1a580eeff00e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/nonInteractiveCliAgentSession.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63471, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c567a69a97011ec58a37a82d0d59534dfee9ebdd907d41d52acda7189eaacd2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/config/extensions/github.ts", "duplicate_line": 161, "correlation_key": "fp|6c567a69a97011ec58a37a82d0d59534dfee9ebdd907d41d52acda7189eaacd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/config/extensions/update.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63470, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e5c1a91444dbbe022767ff2fb91385a7143aa4885b95d87723931cfe163e3aac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/commands/extensions/disable.ts", "duplicate_line": 51, "correlation_key": "fp|e5c1a91444dbbe022767ff2fb91385a7143aa4885b95d87723931cfe163e3aac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/extensions/enable.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63469, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27d22a35a992c578177f73f5830423ca9880fdaa5966ec3400d734d0ebcaa57f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/a2a-server/src/commands/restore.ts", "duplicate_line": 1, "correlation_key": "fp|27d22a35a992c578177f73f5830423ca9880fdaa5966ec3400d734d0ebcaa57f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/acp/commands/restore.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63468, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5a6360901657b23f19edee26160ca9d40dd5a5a24a891fe929a7caf8129d9197", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/a2a-server/src/commands/memory.ts", "duplicate_line": 2, "correlation_key": "fp|5a6360901657b23f19edee26160ca9d40dd5a5a24a891fe929a7caf8129d9197"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/acp/commands/memory.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63467, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34f48159a5ea2e5cde05bd63b7c6d4672a231b042a4158b6979e534fe47d2825", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/a2a-server/src/commands/extensions.ts", "duplicate_line": 12, "correlation_key": "fp|34f48159a5ea2e5cde05bd63b7c6d4672a231b042a4158b6979e534fe47d2825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/acp/commands/extensions.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63466, "scanner": "repobility-ai-code-hygiene", "fingerprint": "819fb5d0e17f8a7d3c3c982a79fd9f49bc59e8031c9a50da885d5d6056029c00", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/a2a-server/src/commands/command-registry.ts", "duplicate_line": 19, "correlation_key": "fp|819fb5d0e17f8a7d3c3c982a79fd9f49bc59e8031c9a50da885d5d6056029c00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/acp/commands/commandRegistry.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63465, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff0c4d8af41412a66ddf7c37353e920f9c09f111a69b3a6b1eaff090792a7efe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evals/validation_fidelity.eval.ts", "duplicate_line": 29, "correlation_key": "fp|ff0c4d8af41412a66ddf7c37353e920f9c09f111a69b3a6b1eaff090792a7efe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/validation_fidelity_pre_existing_errors.eval.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63464, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8ea61d8b987613b6c83bdf2ac78e6a0ed0fa75f9e0430e3b31207d94382890e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evals/memory_persistence.eval.ts", "duplicate_line": 9, "correlation_key": "fp|f8ea61d8b987613b6c83bdf2ac78e6a0ed0fa75f9e0430e3b31207d94382890e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/tool_output_masking.eval.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63463, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa27b17f352e56c6db9802de1eb2ae029c720034f2ffee9e1c029b15b2f6fd93", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "evals/auto_memory_contract.eval.ts", "duplicate_line": 39, "correlation_key": "fp|fa27b17f352e56c6db9802de1eb2ae029c720034f2ffee9e1c029b15b2f6fd93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/skill_extraction.eval.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 63462, "scanner": "repobility-threat-engine", "fingerprint": "07cddb519931adc5d565f8969089a95076f1263edab33253faffba9e0749a501", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|07cddb519931adc5d565f8969089a95076f1263edab33253faffba9e0749a501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/review.sh"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 63461, "scanner": "repobility-threat-engine", "fingerprint": "f63c8f7b59e34a579db6c7f2d4124577e632a2ced750566c8052bdfeab16e2a2", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "Password = '<redacted>'", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|18|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/services/keychainService.ts"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 63458, "scanner": "repobility-threat-engine", "fingerprint": "9f80b7e6da70f303c7a77285828365f3c456fd1616b2e1e54fe530c2dc3e4dfd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9f80b7e6da70f303c7a77285828365f3c456fd1616b2e1e54fe530c2dc3e4dfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/index.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 63457, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 63456, "scanner": "repobility-threat-engine", "fingerprint": "c361817c6f0878dc623775e3a9224558df149b44e992414dba957b1dfb4d587b", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error(`Test MCP Server '${config.name}' connected and listening.`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|6|console.error test mcp server config.name connected and listening."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/test-utils/src/test-mcp-server-template.mjs"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 63455, "scanner": "repobility-threat-engine", "fingerprint": "fc77ccc2da4fd63a039a3baf3823052c8f41c74d712539f6d82c24bc350a33bd", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "evidence": {"match": "Logger.debug('countTokens API failed:', error)", "reason": "The token term appears to refer to NLP/model token counts, a tokenizer, or blockchain token metadata rather than credential material", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|17|logger.debug counttokens api failed: error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/tokenCalculation.ts"}, "region": {"startLine": 180}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 63454, "scanner": "repobility-threat-engine", "fingerprint": "718114f87afbcdea0cee60e3651a657d05097eb3dd7311ab66546efe87a840ed", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "Logger.debug('\u2713 OAuth2 authentication successful! Token saved.')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|29|logger.debug oauth2 authentication successful token saved."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/agents/auth-provider/oauth2-provider.ts"}, "region": {"startLine": 297}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63453, "scanner": "repobility-threat-engine", "fingerprint": "cec0eff05ea2cd5fda6ae629ceb8d7347625dfcd1b7c215e7e9d1c5a8d698c77", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cec0eff05ea2cd5fda6ae629ceb8d7347625dfcd1b7c215e7e9d1c5a8d698c77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils/skillUtils.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63452, "scanner": "repobility-threat-engine", "fingerprint": "017cc1e1baeeece8f2650ee852b1f6bb4508d6f4efa80a4c6a06fbff6e4cf744", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|017cc1e1baeeece8f2650ee852b1f6bb4508d6f4efa80a4c6a06fbff6e4cf744"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils/devtoolsService.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 63451, "scanner": "repobility-threat-engine", "fingerprint": "60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|60d6be488fc9792b7c544c84123a75cbfde5e34988a54174c40e3a6c52f2694e"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 63441, "scanner": "repobility-threat-engine", "fingerprint": "1231d1568fe46b0359a9552e6f5b0080c104928e5ddbfe51869a88207b0f7e54", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1231d1568fe46b0359a9552e6f5b0080c104928e5ddbfe51869a88207b0f7e54"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 63437, "scanner": "repobility-threat-engine", "fingerprint": "ef397bd65ac490246b20d8bf8e03ba08b255c30c874c66e1da62101f89c81278", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ef397bd65ac490246b20d8bf8e03ba08b255c30c874c66e1da62101f89c81278"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 63433, "scanner": "repobility-threat-engine", "fingerprint": "ed5c888e07b2aa347c385214ce80be1d78475610869aff676d3a103a028dc34f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ed5c888e07b2aa347c385214ce80be1d78475610869aff676d3a103a028dc34f", "aggregated_count": 11}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 63432, "scanner": "repobility-threat-engine", "fingerprint": "8c6a5fcaa942ec4e87e6497ee301bf5674a1091b86aec183c527cae3945ecda5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c6a5fcaa942ec4e87e6497ee301bf5674a1091b86aec183c527cae3945ecda5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/components/Banner.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 63431, "scanner": "repobility-threat-engine", "fingerprint": "0de5a8ceb5f0f01b7fa0a0f08ff49dd5a5f81e38943ee44767fa07622b7c96d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0de5a8ceb5f0f01b7fa0a0f08ff49dd5a5f81e38943ee44767fa07622b7c96d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/ui/components/AlternateBufferQuittingDisplay.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 63430, "scanner": "repobility-threat-engine", "fingerprint": "687ad453488457b65aa42204403419000283db0f7f2b0269954f664058458100", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|687ad453488457b65aa42204403419000283db0f7f2b0269954f664058458100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/examples/ask-user-dialog-demo.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 63427, "scanner": "repobility-threat-engine", "fingerprint": "4f82741248d2f2e3903d4a13469ec444978e04a35becce3b8f1bab266103461a", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|336|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/utils/trust.ts"}, "region": {"startLine": 336}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 63426, "scanner": "repobility-threat-engine", "fingerprint": "77cdec1889e6b8bd8c785e8cd32e34fdfc788831dc862fe2e3478bb32c5bb577", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|54|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/tool_output_masking.eval.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 63425, "scanner": "repobility-threat-engine", "fingerprint": "17dd83cf3397cfa50961ed7a1eb16167dc11286eb212fcf82fd3bf6e3376bd8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|17dd83cf3397cfa50961ed7a1eb16167dc11286eb212fcf82fd3bf6e3376bd8c", "aggregated_count": 7}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63424, "scanner": "repobility-threat-engine", "fingerprint": "bd1a0a669ab55773d83c4e876ccda5f51513d0568867e4f73516bf1ee0d94158", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bd1a0a669ab55773d83c4e876ccda5f51513d0568867e4f73516bf1ee0d94158"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/shell-efficiency.eval.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63423, "scanner": "repobility-threat-engine", "fingerprint": "12b78c4edbfa921eeaa968753cc77227ad523f92850a23462826cd58607ac412", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12b78c4edbfa921eeaa968753cc77227ad523f92850a23462826cd58607ac412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/llm-judge.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63422, "scanner": "repobility-threat-engine", "fingerprint": "c05ceff660e5b8adcbca8e091424ce96c4f6567e4a0af36c3e3cf73abb3b423a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c05ceff660e5b8adcbca8e091424ce96c4f6567e4a0af36c3e3cf73abb3b423a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/frugalSearch.eval.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 73 more): Same pattern found in 73 additional files. Review if needed."}, "properties": {"repobilityId": 63421, "scanner": "repobility-threat-engine", "fingerprint": "bbdd3cfedc23e2175994207eb136066d3a8ae2feaec0ff2290fda3299475c4b5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 73 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bbdd3cfedc23e2175994207eb136066d3a8ae2feaec0ff2290fda3299475c4b5", "aggregated_count": 73}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63420, "scanner": "repobility-threat-engine", "fingerprint": "f3b921d945df4d84fdd26982f7cc69c99f97037c80df24cd1046c4e0a68a3ae8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f3b921d945df4d84fdd26982f7cc69c99f97037c80df24cd1046c4e0a68a3ae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/test-mcp-server.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63419, "scanner": "repobility-threat-engine", "fingerprint": "9da47e673c2ba32609dd6abe25212ca05a07f70168a91276c9d2f03bd06ada6b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9da47e673c2ba32609dd6abe25212ca05a07f70168a91276c9d2f03bd06ada6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/tracker.eval.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63418, "scanner": "repobility-threat-engine", "fingerprint": "4205438b3223fe5be28e2c247c821c5b32ad9009472c6d43faaf7c68bbfd24dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4205438b3223fe5be28e2c247c821c5b32ad9009472c6d43faaf7c68bbfd24dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/calendar-all-day.eval.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 63417, "scanner": "repobility-threat-engine", "fingerprint": "10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "aggregated_count": 11}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 63416, "scanner": "repobility-threat-engine", "fingerprint": "97b097f31eee11c042f06812073e490a740ebbaffa2dc2544f68c2f4e21189d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|97b097f31eee11c042f06812073e490a740ebbaffa2dc2544f68c2f4e21189d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/shell-efficiency.eval.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 63415, "scanner": "repobility-threat-engine", "fingerprint": "d1a4deeacb696eb9afec5996c9bd8b87e51d092a3d5f338bc46cca7c77699fb0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1a4deeacb696eb9afec5996c9bd8b87e51d092a3d5f338bc46cca7c77699fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/redundant_casts.eval.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 63414, "scanner": "repobility-threat-engine", "fingerprint": "2cca637dfb9f2956122b34d2d008d91c1d4b92ceaf0fa9369aec5de3eeb9ef38", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2cca637dfb9f2956122b34d2d008d91c1d4b92ceaf0fa9369aec5de3eeb9ef38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/automated-tool-use.eval.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 63413, "scanner": "repobility-threat-engine", "fingerprint": "98d7a331825c15c416a69df4a9300e41a45b360743a4004ad73bcb9325ec73df", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|98d7a331825c15c416a69df4a9300e41a45b360743a4004ad73bcb9325ec73df"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 63409, "scanner": "repobility-threat-engine", "fingerprint": "d0ef38888978cb97f23a16560d0d3a6b5f1b9ca8732ce2e4ca30d22a336712e3", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require(path", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|d0ef38888978cb97f23a16560d0d3a6b5f1b9ca8732ce2e4ca30d22a336712e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "esbuild.config.js"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 63408, "scanner": "repobility-threat-engine", "fingerprint": "d0e616afa1de809b2c500a0ca0e082d2fb57cb894ec3187d2f28344c2529f1d5", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d0e616afa1de809b2c500a0ca0e082d2fb57cb894ec3187d2f28344c2529f1d5"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "properties": {"repobilityId": 63404, "scanner": "repobility-threat-engine", "fingerprint": "22746cb9e5e18719cf317f76d2dd3f52c6f3896913cc89b77c5da63c8fbc388f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 74 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|22746cb9e5e18719cf317f76d2dd3f52c6f3896913cc89b77c5da63c8fbc388f", "aggregated_count": 74}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63403, "scanner": "repobility-threat-engine", "fingerprint": "a5b09a9745ec466506ed214b656d6a13af0ccef964ae90f405ffdfcdd27a9988", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5b09a9745ec466506ed214b656d6a13af0ccef964ae90f405ffdfcdd27a9988"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/backfill-need-triage.cjs"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63402, "scanner": "repobility-threat-engine", "fingerprint": "780eac46d5413ca00b9f95d3b88f206edbad65ca3de8857ed08975bf2d669984", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|780eac46d5413ca00b9f95d3b88f206edbad65ca3de8857ed08975bf2d669984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gemini/skills/pr-address-comments/scripts/fetch-pr-info.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63401, "scanner": "repobility-threat-engine", "fingerprint": "3849fcbb29306a3894637daf5c2624c0b0bc5d80cfebf3bb45968bac25ce37c5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3849fcbb29306a3894637daf5c2624c0b0bc5d80cfebf3bb45968bac25ce37c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gemini/skills/ci/scripts/ci.mjs"}, "region": {"startLine": 157}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 63399, "scanner": "repobility-threat-engine", "fingerprint": "0eb70acf3c3e2456940d2ee82b44578b561a627e626174a1570b7e8b017168b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0eb70acf3c3e2456940d2ee82b44578b561a627e626174a1570b7e8b017168b1"}}}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@google/gemini-cli-core` pulled from URL/Git: `dependencies.@google/gemini-cli-core` = `file:../core` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 63509, "scanner": "repobility-supply-chain", "fingerprint": "447463196e0558f576a4a22d8b2ddcdb2e91902be55b16e2f14b15970d5dd041", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|447463196e0558f576a4a22d8b2ddcdb2e91902be55b16e2f14b15970d5dd041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/a2a-server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@google/gemini-cli-test-utils` pulled from URL/Git: `devDependencies.@google/gemini-cli-test-utils` = `file:../test-utils` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 63508, "scanner": "repobility-supply-chain", "fingerprint": "83541597a77def6c7cff7c3e3ec3e27d07939d54fed49e0c248d114b62703575", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|83541597a77def6c7cff7c3e3ec3e27d07939d54fed49e0c248d114b62703575"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@google/gemini-cli-core` pulled from URL/Git: `dependencies.@google/gemini-cli-core` = `file:../core` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 63507, "scanner": "repobility-supply-chain", "fingerprint": "457f12f6c2ab44463e78da9bd4da2214384fe7fab6addcb0f0c161082e1e9fbe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|457f12f6c2ab44463e78da9bd4da2214384fe7fab6addcb0f0c161082e1e9fbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@google/gemini-cli-core` pulled from URL/Git: `dependencies.@google/gemini-cli-core` = `file:../core` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 63506, "scanner": "repobility-supply-chain", "fingerprint": "a7ea779f70ff2544a3c0b0b45197f2c23c2f8711f2605b8f9e759bd3ddea39a3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7ea779f70ff2544a3c0b0b45197f2c23c2f8711f2605b8f9e759bd3ddea39a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/test-utils/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@google/gemini-cli-test-utils` pulled from URL/Git: `devDependencies.@google/gemini-cli-test-utils` = `file:../test-utils` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 63505, "scanner": "repobility-supply-chain", "fingerprint": "1eb0916aaed27ecfaf3ab82e824f3c87651c9a58d1c3f0a3b0c324db467fbb0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1eb0916aaed27ecfaf3ab82e824f3c87651c9a58d1c3f0a3b0c324db467fbb0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `@google/gemini-cli-core` pulled from URL/Git: `dependencies.@google/gemini-cli-core` = `file:../core` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 63504, "scanner": "repobility-supply-chain", "fingerprint": "1038c5cb53ee7709fb2e7422ce62cabdfeee48eb067e6eb0f5b9614760d4bf14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1038c5cb53ee7709fb2e7422ce62cabdfeee48eb067e6eb0f5b9614760d4bf14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/sdk/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 63503, "scanner": "repobility-supply-chain", "fingerprint": "39a91779b06474a1bb0273a1b87930f4d9f309d1ccbeb2d97a1e2cf665fc632f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39a91779b06474a1bb0273a1b87930f4d9f309d1ccbeb2d97a1e2cf665fc632f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gcp/Dockerfile.gemini-code-builder"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.io/library/node:20-slim` not pinned by digest: `FROM docker.io/library/node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 63502, "scanner": "repobility-supply-chain", "fingerprint": "16b3771b40698e04593dc22189c6075473878e89bbc25df9617344c0f1d2b7fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16b3771b40698e04593dc22189c6075473878e89bbc25df9617344c0f1d2b7fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gcp/Dockerfile.development"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.io/library/node:20-slim` not pinned by digest: `FROM docker.io/library/node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 63501, "scanner": "repobility-supply-chain", "fingerprint": "d91db57d9ca598cf96660f02408aba9dfab37a27fd6e41178606d911e6851b2e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d91db57d9ca598cf96660f02408aba9dfab37a27fd6e41178606d911e6851b2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.io/library/node:20-slim` not pinned by digest: `FROM docker.io/library/node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 63500, "scanner": "repobility-supply-chain", "fingerprint": "0351dbaf23fedeb6e792fd9e7eec4957ea2f35f4954e159e4eb6153270d901dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0351dbaf23fedeb6e792fd9e7eec4957ea2f35f4954e159e4eb6153270d901dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 63499, "scanner": "repobility-route-auth", "fingerprint": "875b191ce2ba8d29cc72788f9082b79db10907218121a22c6267184f00228e45", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|875b191ce2ba8d29cc72788f9082b79db10907218121a22c6267184f00228e45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/vscode-ide-companion/src/ide-server.ts"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 63498, "scanner": "repobility-route-auth", "fingerprint": "fc8fcbe47da8f8bc9f5d0cbb981016eac380877f8f4211e1482348533fb44cc1", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|fc8fcbe47da8f8bc9f5d0cbb981016eac380877f8f4211e1482348533fb44cc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/test-mcp-server.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /users has no auth: Express route POST /users declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 63497, "scanner": "repobility-route-auth", "fingerprint": "267db0585f90cb0ec15c99bfd5abf954a4646bab252404da982cda93e4b86be3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|267db0585f90cb0ec15c99bfd5abf954a4646bab252404da982cda93e4b86be3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/update_topic.eval.ts"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 63447, "scanner": "repobility-threat-engine", "fingerprint": "d5e65e45a8e75070df944720f5e231add85b1b22cee4a0d3ee59a924a4ff9254", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5e65e45a8e75070df944720f5e231add85b1b22cee4a0d3ee59a924a4ff9254"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/policy/utils.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 63446, "scanner": "repobility-threat-engine", "fingerprint": "e1c6cef45646d660fd93598852a2ff34fe18d3ef7fd6b6a61a994f3874b155f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(matcher", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1c6cef45646d660fd93598852a2ff34fe18d3ef7fd6b6a61a994f3874b155f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/hooks/hookPlanner.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 63445, "scanner": "repobility-threat-engine", "fingerprint": "094d173dc3dfe6cadfb42c6bda2ddc264280129deda207c7a3c7f5b420458d8f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|094d173dc3dfe6cadfb42c6bda2ddc264280129deda207c7a3c7f5b420458d8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/services/McpPromptLoader.ts"}, "region": {"startLine": 196}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 63444, "scanner": "repobility-threat-engine", "fingerprint": "ba882fe7556fa4cf3a4b33dc95665e745bf62d1550ea26b415f3c4d2e2000104", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(docsRoot, this.params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|124|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/tools/get-internal-docs.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 63443, "scanner": "repobility-threat-engine", "fingerprint": "26c516480d5157fedafa13d28e11803e3c721516cc7b4f768eb755aebb702c00", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(cwd, input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|83|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/core/src/safety/built-in.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 63442, "scanner": "repobility-threat-engine", "fingerprint": "d0e274450ab01a28b442bb38866a3005cd77ab324e5a4b822dbea6f42dd4f38d", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(\n        absoluteInput", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|54|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/extensions/validate.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 63440, "scanner": "repobility-threat-engine", "fingerprint": "669f6a8dcb626c70e27894876861b58f363785b42abcf65a7ebe7d52524d30ea", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((l) => `  [${l.line}]: \"${l.content}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|669f6a8dcb626c70e27894876861b58f363785b42abcf65a7ebe7d52524d30ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/test-utils/customMatchers.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 63439, "scanner": "repobility-threat-engine", "fingerprint": "768bb10564bac57a0c8b728be3366cf994c0f4098e1f46c4bca9066577ba6a2e", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((arg) => `--${arg.name}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|768bb10564bac57a0c8b728be3366cf994c0f4098e1f46c4bca9066577ba6a2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/services/McpPromptLoader.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 63438, "scanner": "repobility-threat-engine", "fingerprint": "9d7b076dbfdb30064defd52a7e13277f7481c5e064e5c6e00fa3d139cc4a2214", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((extension) => `${extension.name} (${extension.version}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9d7b076dbfdb30064defd52a7e13277f7481c5e064e5c6e00fa3d139cc4a2214"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/extensions/update.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63436, "scanner": "repobility-threat-engine", "fingerprint": "5847694d2eef4be6821616f7669b5d66c747132e3143b204b6a4f0459b0ec115", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5847694d2eef4be6821616f7669b5d66c747132e3143b204b6a4f0459b0ec115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/mcp/add.ts"}, "region": {"startLine": 156}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63435, "scanner": "repobility-threat-engine", "fingerprint": "d38a690b6c77d8fef1df5c01da36438f7d039c09c202e741142049df653a6fc2", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d38a690b6c77d8fef1df5c01da36438f7d039c09c202e741142049df653a6fc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/commands/gemma/platform.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63434, "scanner": "repobility-threat-engine", "fingerprint": "09f3e74074138dcff0ccbe48d270215546f3eb6221167c0e81a8b9cf00ff71ba", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url (s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|09f3e74074138dcff0ccbe48d270215546f3eb6221167c0e81a8b9cf00ff71ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/acp/acpSessionManager.ts"}, "region": {"startLine": 309}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 63429, "scanner": "repobility-threat-engine", "fingerprint": "a0c55bb24f8d6b64ceee0cbf0bd055a8934c9c06c2dbd5a88cb559a1d8aaf903", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/mcp', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0c55bb24f8d6b64ceee0cbf0bd055a8934c9c06c2dbd5a88cb559a1d8aaf903"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integration-tests/test-mcp-server.ts"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 63428, "scanner": "repobility-threat-engine", "fingerprint": "872e711b40add3ad528436450b2d5380d0f26a290b66a7b6e2f91c396d3e52e7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/users', (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|872e711b40add3ad528436450b2d5380d0f26a290b66a7b6e2f91c396d3e52e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "evals/update_topic.eval.ts"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 63412, "scanner": "repobility-threat-engine", "fingerprint": "a11df6143d7a1e45427bbbcd4f7e850c815580c04257986d4589aec5471991ad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "registry.commandMap.delete(name);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a11df6143d7a1e45427bbbcd4f7e850c815580c04257986d4589aec5471991ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/services/SlashCommandResolver.ts"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 63411, "scanner": "repobility-threat-engine", "fingerprint": "76dca3103379cf652c6ba924c38c44f1dc534b74d1dcc12311e6511730d339e2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "destStream.destroy(err);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|76dca3103379cf652c6ba924c38c44f1dc534b74d1dcc12311e6511730d339e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/a2a-server/src/persistence/gcs.ts"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 63410, "scanner": "repobility-threat-engine", "fingerprint": "52033755807a3d1708533b7dd3eeff28398dd9b29d8f63b6a9ebbfb41277583f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.allSettled(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|52033755807a3d1708533b7dd3eeff28398dd9b29d8f63b6a9ebbfb41277583f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "esbuild.config.js"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63398, "scanner": "repobility-threat-engine", "fingerprint": "29fa260b3360e49fa4141cd42b8690113df3840cf6cf5a1fdd89d787e849c162", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec ($", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29fa260b3360e49fa4141cd42b8690113df3840cf6cf5a1fdd89d787e849c162"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/acp/commands/about.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63397, "scanner": "repobility-threat-engine", "fingerprint": "272cacb3705d069f9ea97e9184c3d7bc65ad4c44ad8a716ec27d27a1652ac14a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|272cacb3705d069f9ea97e9184c3d7bc65ad4c44ad8a716ec27d27a1652ac14a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/sync-maintainer-labels.cjs"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63396, "scanner": "repobility-threat-engine", "fingerprint": "82d7eb2a313855b536e784438920b47152cd8de0f8a8fcdf16c022b2b7a57c3a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|82d7eb2a313855b536e784438920b47152cd8de0f8a8fcdf16c022b2b7a57c3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".gemini/skills/ci/scripts/ci.mjs"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GEMINI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GEMINI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63511, "scanner": "repobility-supply-chain", "fingerprint": "69309352a1d0d08bf6617c479e799ec7defae6577295e47a4e5059724d4f973c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|69309352a1d0d08bf6617c479e799ec7defae6577295e47a4e5059724d4f973c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 443}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GEMINI_CLI_ROBOT_GITHUB_PAT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GEMINI_CLI_ROBOT_GITHUB_PAT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63510, "scanner": "repobility-supply-chain", "fingerprint": "7e7a619db5e68a4184e710dd28c45f47461d831cb210de7d47fe5b3e47e40df7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e7a619db5e68a4184e710dd28c45f47461d831cb210de7d47fe5b3e47e40df7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 47}}}]}]}]}