{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN002", "name": "Browser storage is used for session token material", "shortDescription": {"text": "Browser storage is used for session token material"}, "fullDescription": {"text": "Prefer httpOnly, Secure, SameSite cookies or short-lived in-memory tokens. Avoid persistent browser storage for access, refresh, ID, or partner session tokens."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED081", "name": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.", "shortDescription": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path (and 1 more): Same pattern found in 1 additional files. Review if need", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 21 more): Same pattern found in 21 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 3 more): Same pattern found in 3 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 42 more): Same pattern found in 42 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 57 more): Same pattern found in 57 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 57 more): Same pattern found in 57 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 107 more): Same pattern found in 107 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 107 more): Same pattern found in 107 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 40 more): Same pattern found in 40 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 75 more): Same pattern found in 75 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 75 more): Same pattern found in 75 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 49 more): Same pattern found in 49 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 64 more): Same pattern found in 64 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `packages/playwright-core/src/server/android/driver/gradle/wrapper/gradle-wrapper.jar` committed ", "shortDescription": {"text": "[MINED134] Binary file `packages/playwright-core/src/server/android/driver/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/playwright-core/src/server/android/driver/gradle/wrapper/gradle-wrapper.jar` is a .jar binary "}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:noble` not pinned by digest: `FROM ubuntu:noble` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:noble` not pinned by digest: `FROM ubuntu:noble` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:noble@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC038", "name": "[SEC038] HTTP Request Smuggling Risk \u2014 TE/CL mismatch: HTTP Request Smuggling (HRS) abuses parser disagreement between f", "shortDescription": {"text": "[SEC038] HTTP Request Smuggling Risk \u2014 TE/CL mismatch: HTTP Request Smuggling (HRS) abuses parser disagreement between front-end and back-end servers about request boundaries when Transfer-Encoding and Content-Length both present. Attackers"}, "fullDescription": {"text": "Don't set Transfer-Encoding manually \u2014 let the framework. If you must:\n  1. Only set ONE of Transfer-Encoding or Content-Length per response.\n  2. Reject incoming requests with both headers (RFC 7230 \u00a73.3.3 #3).\n  3. Use a battle-tested HTTP server (nginx, envoy) as front-end; never      accept raw HTTP over the network.\n  4. For chunked-encoding handling, use the framework's built-in parser      rather than rolling your own."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow trigge", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID }` l"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/782"}, "properties": {"repository": "microsoft/playwright", "repoUrl": "https://github.com/microsoft/playwright", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 65934, "scanner": "repobility-ast-engine", "fingerprint": "dac9781d9bb328f2a77e487c7b37789a71d0d850b9f32d9ec0d87b495e937188", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dac9781d9bb328f2a77e487c7b37789a71d0d850b9f32d9ec0d87b495e937188"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/doclint/linting-code-snippets/python/main.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 65933, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 65932, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 65926, "scanner": "repobility-journey-contract", "fingerprint": "21add5967309165797a59a973b11e1a0c6ba35126851205c261d0aed7a0bee15", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|69|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/extension/src/ui/authToken.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 65925, "scanner": "repobility-journey-contract", "fingerprint": "4c414f991a5e6b79853b8803f89c74cd4d288da9f3e09af434359926f8aa92df", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|66|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/extension/src/ui/authToken.tsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "JRN002", "level": "warning", "message": {"text": "Browser storage is used for session token material"}, "properties": {"repobilityId": 65924, "scanner": "repobility-journey-contract", "fingerprint": "595b4ff340289bba3b8a9838d9cca0f57286428ddd673ce9de70f0decfec8a34", "category": "auth", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Storage API call references token-like key or value names.", "evidence": {"rule_id": "JRN002", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|27|jrn002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/extension/src/ui/authToken.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 65923, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js", "GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 65922, "scanner": "repobility-docker", "fingerprint": "bd1209b002bafae167d3dcebc944279f69ad75406c668b061ac58f35e745777b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:noble", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bd1209b002bafae167d3dcebc944279f69ad75406c668b061ac58f35e745777b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile.noble"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 65921, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 65920, "scanner": "repobility-docker", "fingerprint": "304c0d4939867476ddf1a6726516d1ed8e8866ad3f10dc42f09e289ffec5f023", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ubuntu:jammy", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|304c0d4939867476ddf1a6726516d1ed8e8866ad3f10dc42f09e289ffec5f023"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile.jammy"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 65919, "scanner": "repobility-agent-runtime", "fingerprint": "60ef0dfdd609ff494e3c5d27aea6ab24ab4852e10cdadf37cbe2a8259015c6b5", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|60ef0dfdd609ff494e3c5d27aea6ab24ab4852e10cdadf37cbe2a8259015c6b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright/types/test.d.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 65918, "scanner": "repobility-agent-runtime", "fingerprint": "e950771e1dfb00cff9b266ba5a9524a71edf824b92f8f5d012ca70094f08620d", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e950771e1dfb00cff9b266ba5a9524a71edf824b92f8f5d012ca70094f08620d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright/src/reporters/html.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 65917, "scanner": "repobility-agent-runtime", "fingerprint": "bfe97012723cec09e0c7cdc20be00d9c228504dbb58ba35772414f6c84a268c9", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|bfe97012723cec09e0c7cdc20be00d9c228504dbb58ba35772414f6c84a268c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright/src/program.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65916, "scanner": "repobility-agent-runtime", "fingerprint": "fd490a6d09749ad7b4d45bb4f1290a114bb34203038af65b1179904553d49be3", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|fd490a6d09749ad7b4d45bb4f1290a114bb34203038af65b1179904553d49be3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/src/docker.md"}, "region": {"startLine": 240}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 65915, "scanner": "repobility-agent-runtime", "fingerprint": "ca11e667aab98aac5d4a558664998f13575cee73ecd2c4da6d69c608c78d6052", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ca11e667aab98aac5d4a558664998f13575cee73ecd2c4da6d69c608c78d6052"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_docker.yml"}, "region": {"startLine": 119}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 65882, "scanner": "repobility-threat-engine", "fingerprint": "be88605a1e7f9082da1986840586f3ac383c6b38d205383e4b15a1f3774f17e2", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|218|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/codeMirrorWrapper.tsx"}, "region": {"startLine": 218}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 65881, "scanner": "repobility-threat-engine", "fingerprint": "89478365d5d41b868765602c8a4e8fd7a4e961adad1128c3805e4c5c5461c249", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server {\n  const server = http.createServer(...args);\n  decorateServer(server);\n  return server", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|89478365d5d41b868765602c8a4e8fd7a4e961adad1128c3805e4c5c5461c249"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/utils/network.ts"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 65852, "scanner": "repobility-threat-engine", "fingerprint": "b3344eb054863520dc56e611d777a040f4f07280d8d85bd55ed94d9d67e809ef", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp([\n        '[\\\\u001B\\\\u009B][[\\\\]()#;?]*(?:(?:(?:[a-zA-Z\\\\d]*(?:;[-a-zA-Z\\\\d\\\\/#&.:=?%@~_]", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b3344eb054863520dc56e611d777a040f4f07280d8d85bd55ed94d9d67e809ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/utils/debugLogger.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 65851, "scanner": "repobility-threat-engine", "fingerprint": "f48d75fdc80856f616cdcf13119abbbcc47c461424b7070cdaa2dc6aa7e33d0a", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(source, flags);\n}\n\nexport function tomlBasicString(value: string): string {\n  // JSON.str", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f48d75fdc80856f616cdcf13119abbbcc47c461424b7070cdaa2dc6aa7e33d0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/stringUtils.ts"}, "region": {"startLine": 189}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 65846, "scanner": "repobility-threat-engine", "fingerprint": "ba07827986ad2812caaeb90981985f4a0531038d2e673c445f29251e41bf70e3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n    return null;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ba07827986ad2812caaeb90981985f4a0531038d2e673c445f29251e41bf70e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/urlMatch.ts"}, "region": {"startLine": 262}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 65845, "scanner": "repobility-threat-engine", "fingerprint": "dc554f6a4b78ca236533f72c57fe79aaa78d99c44f5f9c81acdc4a520d97777d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) { return null; }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dc554f6a4b78ca236533f72c57fe79aaa78d99c44f5f9c81acdc4a520d97777d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/injected/src/webview/webViewDialog.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65841, "scanner": "repobility-threat-engine", "fingerprint": "9dae311d34174665a354a33c1dd18e927cc08473914c332d4847708a3ef642d1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|182|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/trace-viewer/src/ui/actionList.tsx"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65840, "scanner": "repobility-threat-engine", "fingerprint": "deba0bfcb6121b5e97e993dd2a6e41657697bcbebbda79e60f5f4451d32a11b7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new Function(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|82|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-ct-vue/registerSource.mjs"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65839, "scanner": "repobility-threat-engine", "fingerprint": "f844abaeff6e0ff0b7e3ebdda11ce4304f83fa27b84f3b1621bc5fccf809c831", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|50|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/tools/backend/evaluate.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 65802, "scanner": "repobility-threat-engine", "fingerprint": "4a12aa929576ef0a21ffb09cf3c45b41a560c36167da99e9e494b5f345464e22", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a12aa929576ef0a21ffb09cf3c45b41a560c36167da99e9e494b5f345464e22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/extension/src/background.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 65801, "scanner": "repobility-threat-engine", "fingerprint": "49c5b956f88b790ee4ba02cc5c5d9a6df56b85a6c9e256856f7aa1431c18c625", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|49c5b956f88b790ee4ba02cc5c5d9a6df56b85a6c9e256856f7aa1431c18c625"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dashboard/src/transport.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 65800, "scanner": "repobility-threat-engine", "fingerprint": "c0c746c0522ceb6b451a705f958748e438a2f551976d23f69a1b82ae8304cb0d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c0c746c0522ceb6b451a705f958748e438a2f551976d23f69a1b82ae8304cb0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser_patches/firefox/juggler/Helper.js"}, "region": {"startLine": 101}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 65931, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 65930, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 65929, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 65928, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65914, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f071b43a6c77a5507a0ce121cd38481ada1850dc5bdd39cea9998596286f916c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/server/bidi/bidiConnection.ts", "duplicate_line": 30, "correlation_key": "fp|f071b43a6c77a5507a0ce121cd38481ada1850dc5bdd39cea9998596286f916c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/webkit/wkConnection.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65913, "scanner": "repobility-ai-code-hygiene", "fingerprint": "66165d82f13ef6232ec9f1aae3c72b65b77c01b9f24c8d402b492e520182bfac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/server/firefox/ffPage.ts", "duplicate_line": 402, "correlation_key": "fp|66165d82f13ef6232ec9f1aae3c72b65b77c01b9f24c8d402b492e520182bfac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/webkit/webview/wvPage.ts"}, "region": {"startLine": 584}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65912, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46158ab7a912e31092d3ec15704e792e84cfad2bee3440e0da505c7ff6a3ac92", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/server/firefox/ffInput.ts", "duplicate_line": 33, "correlation_key": "fp|46158ab7a912e31092d3ec15704e792e84cfad2bee3440e0da505c7ff6a3ac92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/webkit/webview/wvInput.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65911, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7cdd1a230d9f0adb0459e21b229064829cfc2c6f20f564065b6b25e9e9bc531", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/server/bidi/bidiConnection.ts", "duplicate_line": 30, "correlation_key": "fp|f7cdd1a230d9f0adb0459e21b229064829cfc2c6f20f564065b6b25e9e9bc531"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/webkit/webview/wvConnection.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65910, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d2a931f790c4afe4e07c9f67af697b94d0ffd7d1f0aacac3e0b92205851659ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browser_patches/firefox/juggler/NetworkObserver.js", "duplicate_line": 606, "correlation_key": "fp|d2a931f790c4afe4e07c9f67af697b94d0ffd7d1f0aacac3e0b92205851659ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/network.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65909, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc00d4298f229bc6a3c2df3470ec2acded6b91f8b1dbbd7c8109207b76dec886", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/server/chromium/crExecutionContext.ts", "duplicate_line": 80, "correlation_key": "fp|fc00d4298f229bc6a3c2df3470ec2acded6b91f8b1dbbd7c8109207b76dec886"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/firefox/ffExecutionContext.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65908, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30aaf03123da2fb1d71d469da7ed9a6568a353776b284d73932b912d0e49995d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/server/chromium/crConnection.ts", "duplicate_line": 56, "correlation_key": "fp|30aaf03123da2fb1d71d469da7ed9a6568a353776b284d73932b912d0e49995d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/firefox/ffConnection.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65907, "scanner": "repobility-ai-code-hygiene", "fingerprint": "78fce0608608bc872b830d3504adb0405613588dd593937d70af55189dcac9eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/client/errors.ts", "duplicate_line": 17, "correlation_key": "fp|78fce0608608bc872b830d3504adb0405613588dd593937d70af55189dcac9eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/errors.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65906, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3419c836bc06f41acfde071f947cf8a4f17634153a51656299b04d2bfeb3d9e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/server/bidi/bidiPdf.ts", "duplicate_line": 3, "correlation_key": "fp|3419c836bc06f41acfde071f947cf8a4f17634153a51656299b04d2bfeb3d9e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/chromium/crPdf.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65905, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b89f1d16e9a8185276d9ca4193c331d31e20012ada51c33be3cc81439eb8b1b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/server/bidi/bidiChromium.ts", "duplicate_line": 24, "correlation_key": "fp|b89f1d16e9a8185276d9ca4193c331d31e20012ada51c33be3cc81439eb8b1b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/chromium/chromium.ts"}, "region": {"startLine": 176}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65904, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60f447d1321258334fb00700b2e28089ae3f05e47f66fbdcd1a9bc6808e02cf8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/utilityScriptSerializers.ts", "duplicate_line": 96, "correlation_key": "fp|60f447d1321258334fb00700b2e28089ae3f05e47f66fbdcd1a9bc6808e02cf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/protocol/serializers.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65903, "scanner": "repobility-ai-code-hygiene", "fingerprint": "19f618782cec988062b52edb1bb59f46dc14b1284ac99cd5ce10499622f5c0cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/client/browserContext.ts", "duplicate_line": 196, "correlation_key": "fp|19f618782cec988062b52edb1bb59f46dc14b1284ac99cd5ce10499622f5c0cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/client/page.ts"}, "region": {"startLine": 167}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65902, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc47560ddd92fecb9cad6deede4d57f3255c7308fc771777c456e0579cb7705d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/client/frame.ts", "duplicate_line": 285, "correlation_key": "fp|bc47560ddd92fecb9cad6deede4d57f3255c7308fc771777c456e0579cb7705d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/client/locator.ts"}, "region": {"startLine": 126}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65901, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90a3994f55af3449a037ded1efbac27427859bd750ea30f574dfa57814502944", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/playwright-core/src/client/disposable.ts", "duplicate_line": 10, "correlation_key": "fp|90a3994f55af3449a037ded1efbac27427859bd750ea30f574dfa57814502944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/client/jsHandle.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65900, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a27dab908c1d989fa6dc2a193066616645e40339907743d8252dd1bd1989c896", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/injected/src/yaml.ts", "duplicate_line": 1, "correlation_key": "fp|a27dab908c1d989fa6dc2a193066616645e40339907743d8252dd1bd1989c896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/yaml.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65899, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d8a5543ffed7b8d84f878fed5546e6c450846976c8daa9d47adff1f1c1a8cd6f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV6.ts", "duplicate_line": 126, "correlation_key": "fp|d8a5543ffed7b8d84f878fed5546e6c450846976c8daa9d47adff1f1c1a8cd6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV8.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65898, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ce4022383eeee393ce6438aebea50382c7d3dd0b21cd17a983b47a02e57f048", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV5.ts", "duplicate_line": 101, "correlation_key": "fp|1ce4022383eeee393ce6438aebea50382c7d3dd0b21cd17a983b47a02e57f048"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV8.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65897, "scanner": "repobility-ai-code-hygiene", "fingerprint": "74106fa0d342c0de9b924f9798a2db4a36b0feb68da736808a3e708d4cc1d509", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV4.ts", "duplicate_line": 23, "correlation_key": "fp|74106fa0d342c0de9b924f9798a2db4a36b0feb68da736808a3e708d4cc1d509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV8.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65896, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2ae62b76c4b502ebba398f60447f311692e3dddced8bde4530dc5e2a6302e94b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV3.ts", "duplicate_line": 9, "correlation_key": "fp|2ae62b76c4b502ebba398f60447f311692e3dddced8bde4530dc5e2a6302e94b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV8.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65895, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a84aa2596dcfe0faf4c43d8905cad2f0784ac2ccbf6070d2d63a8f8f8570e8b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV7.ts", "duplicate_line": 5, "correlation_key": "fp|1a84aa2596dcfe0faf4c43d8905cad2f0784ac2ccbf6070d2d63a8f8f8570e8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV8.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65894, "scanner": "repobility-ai-code-hygiene", "fingerprint": "723e618f149202180cba227af69c0a3c0516027283495a28a87b8826a8505030", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV6.ts", "duplicate_line": 126, "correlation_key": "fp|723e618f149202180cba227af69c0a3c0516027283495a28a87b8826a8505030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV7.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65893, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c24c2ec682f7ab634e3cfbb871f36a4136a5211f17e704f44f0396fd707c48f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV5.ts", "duplicate_line": 101, "correlation_key": "fp|c24c2ec682f7ab634e3cfbb871f36a4136a5211f17e704f44f0396fd707c48f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV7.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65892, "scanner": "repobility-ai-code-hygiene", "fingerprint": "acbed739564814f03e45b10d62df676d817d7f67fa06551eb52f668c65e324a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV4.ts", "duplicate_line": 23, "correlation_key": "fp|acbed739564814f03e45b10d62df676d817d7f67fa06551eb52f668c65e324a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV7.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65891, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f479ee1ae4ff8461fdc6649db36f79b4e339edcfbfaa17c756c671850fd62d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV3.ts", "duplicate_line": 9, "correlation_key": "fp|7f479ee1ae4ff8461fdc6649db36f79b4e339edcfbfaa17c756c671850fd62d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV7.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65890, "scanner": "repobility-ai-code-hygiene", "fingerprint": "547ad703bfd30c8378408ef88060bd580f089b8cb741d7a506a11a7980b2e64c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV5.ts", "duplicate_line": 56, "correlation_key": "fp|547ad703bfd30c8378408ef88060bd580f089b8cb741d7a506a11a7980b2e64c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV6.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65889, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fdba427dc55fd11126e3cb494b90848dfa6758a8ac118cc11fbc049e012d33e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV3.ts", "duplicate_line": 9, "correlation_key": "fp|fdba427dc55fd11126e3cb494b90848dfa6758a8ac118cc11fbc049e012d33e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV6.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65888, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3cbe4848d292566545443a7dc0dfe46c429ff0a4b8f7f6ee243fbdc9b06ff3a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV4.ts", "duplicate_line": 1, "correlation_key": "fp|3cbe4848d292566545443a7dc0dfe46c429ff0a4b8f7f6ee243fbdc9b06ff3a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV6.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65887, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6713738e5f4f2e8094b9f32cb2543a57afd54f53c5c661ec7fce8b46a1ada315", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV3.ts", "duplicate_line": 9, "correlation_key": "fp|6713738e5f4f2e8094b9f32cb2543a57afd54f53c5c661ec7fce8b46a1ada315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV5.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65886, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b51a5c2bf5d5cc7acf58640e0d53d6fd07ba55e0d5ee778003f1270f351445ac", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV4.ts", "duplicate_line": 1, "correlation_key": "fp|b51a5c2bf5d5cc7acf58640e0d53d6fd07ba55e0d5ee778003f1270f351445ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV5.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 65885, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe476db6ed23b305ac985c8fe3d7672f9155cf6c1bd0647f649cfb623f1402a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/isomorphic/trace/versions/traceV3.ts", "duplicate_line": 9, "correlation_key": "fp|fe476db6ed23b305ac985c8fe3d7672f9155cf6c1bd0647f649cfb623f1402a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/versions/traceV4.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 65880, "scanner": "repobility-threat-engine", "fingerprint": "82f457330b3f30263fcf53508493049fcfa432e1a77a884f7407188286235b7c", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Status: ' + statusLine + '\\nProjects: '", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|82f457330b3f30263fcf53508493049fcfa432e1a77a884f7407188286235b7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/trace-viewer/src/ui/uiModeFiltersView.tsx"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED081", "level": "none", "message": {"text": "[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr."}, "properties": {"repobilityId": 65883, "scanner": "repobility-threat-engine", "fingerprint": "dccbd7538e9e0139c67a1db8e11a71afa94cd19876054a03bb4a72d29390a7f0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-printstacktrace", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348125+00:00", "triaged_in_corpus": 12, "observations_count": 2934, "ai_coder_pattern_id": 126}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dccbd7538e9e0139c67a1db8e11a71afa94cd19876054a03bb4a72d29390a7f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/doclint/linting-code-snippets/java/src/main/java/JavaSyntaxChecker.java"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 65879, "scanner": "repobility-threat-engine", "fingerprint": "4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4434170c810fa43bf20566276ceaa9e55e65938a7f2140721f4fd2599ad87936"}}}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 65874, "scanner": "repobility-threat-engine", "fingerprint": "f4ac5021b51b51bd13286dada19b37b8fb95b3a421b54c8f057b53bc2dbd4570", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f4ac5021b51b51bd13286dada19b37b8fb95b3a421b54c8f057b53bc2dbd4570"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-ct-vue/hooks.mjs"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 65873, "scanner": "repobility-threat-engine", "fingerprint": "de66d4ab3e5b7643f2d9b228ce1e9ef04da31eecab55d45dd8e53637deb17980", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de66d4ab3e5b7643f2d9b228ce1e9ef04da31eecab55d45dd8e53637deb17980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-ct-react17/hooks.mjs"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 65872, "scanner": "repobility-threat-engine", "fingerprint": "4568912a1017e7cbd38a05cbede7e3bf3b4831606b8582e401ed49cb26caf874", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4568912a1017e7cbd38a05cbede7e3bf3b4831606b8582e401ed49cb26caf874"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-ct-react/hooks.mjs"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 65871, "scanner": "repobility-threat-engine", "fingerprint": "39892dc4c9c54e40c317d394e7838e899ed2b6511b5486f1a8197540e2e5ad0d", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|152|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/tools/utils/mcp/http.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "SEC013", "level": "none", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 65866, "scanner": "repobility-threat-engine", "fingerprint": "75f22750f5eefefb3a3ce8f933bc32c82dff4c8e9ca3ec94aeac313553cfbd0d", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|75f22750f5eefefb3a3ce8f933bc32c82dff4c8e9ca3ec94aeac313553cfbd0d"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 65862, "scanner": "repobility-threat-engine", "fingerprint": "1f1f0cb9bb9ab7a35434597313d091cfb73f68684734a7b6d0ca82ece06b2e8e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1f1f0cb9bb9ab7a35434597313d091cfb73f68684734a7b6d0ca82ece06b2e8e"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 65861, "scanner": "repobility-threat-engine", "fingerprint": "928a9e2bee0171541d2c037a6bb0582c0e251bee397053ccf7a27a818848c730", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require(path", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|928a9e2bee0171541d2c037a6bb0582c0e251bee397053ccf7a27a818848c730"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/cli/installActions.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 65860, "scanner": "repobility-threat-engine", "fingerprint": "aa2b4ff80dde04d43a1dd614184831f85e57082f15ef3faab9aa9adc42b757db", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require(path", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|aa2b4ff80dde04d43a1dd614184831f85e57082f15ef3faab9aa9adc42b757db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/cli/driver.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 65856, "scanner": "repobility-threat-engine", "fingerprint": "8d2f0e6df730702997406fb7501c288022748e91f9d107e35004cb96d4ec94ee", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8d2f0e6df730702997406fb7501c288022748e91f9d107e35004cb96d4ec94ee", "aggregated_count": 21}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 65850, "scanner": "repobility-threat-engine", "fingerprint": "4fe706a6ba2ec998df56004c825560d96a00b1f3ca85ed411d2db791865d5fd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4fe706a6ba2ec998df56004c825560d96a00b1f3ca85ed411d2db791865d5fd4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 65842, "scanner": "repobility-threat-engine", "fingerprint": "7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 65838, "scanner": "repobility-threat-engine", "fingerprint": "f03b1b74f5e01ddcb250f45b6cb780c26f6bacabfa1f468d167f224d85db41eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f03b1b74f5e01ddcb250f45b6cb780c26f6bacabfa1f468d167f224d85db41eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/errorMessage.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 65837, "scanner": "repobility-threat-engine", "fingerprint": "927a9ce41d4794fa698e3c8b76701a00c1b102a9146060d937fd4ad4a8cb81c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|927a9ce41d4794fa698e3c8b76701a00c1b102a9146060d937fd4ad4a8cb81c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/trace-viewer/src/ui/consoleTab.tsx"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 65836, "scanner": "repobility-threat-engine", "fingerprint": "53ebec8fa65d4399ea53cf9c66b435249e42d58a0d33cf053d863dc0be11f791", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53ebec8fa65d4399ea53cf9c66b435249e42d58a0d33cf053d863dc0be11f791"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/html-reporter/src/testErrorView.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 65835, "scanner": "repobility-threat-engine", "fingerprint": "5604b0415ef1c219adfd5f12877e5f4c0affdedeba09d684a49e22087970a270", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5604b0415ef1c219adfd5f12877e5f4c0affdedeba09d684a49e22087970a270"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 65831, "scanner": "repobility-threat-engine", "fingerprint": "6f29a49537bea627ab6a257fe5e36f59f1b6024722ac97214fa811a5ef73ad6c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6f29a49537bea627ab6a257fe5e36f59f1b6024722ac97214fa811a5ef73ad6c", "aggregated_count": 4}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 65830, "scanner": "repobility-threat-engine", "fingerprint": "2b81bc32fbbdc9e1bae58b1169f2ae2de88316b180de2a15b81dbb5ad07e05bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b81bc32fbbdc9e1bae58b1169f2ae2de88316b180de2a15b81dbb5ad07e05bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/recorder/src/callLog.tsx"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 65829, "scanner": "repobility-threat-engine", "fingerprint": "487803c27ded875a7c024bd19e9c227988793ab48c0dec6d014087ca1dfc9d4b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|487803c27ded875a7c024bd19e9c227988793ab48c0dec6d014087ca1dfc9d4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/html-reporter/src/testCaseView.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 65828, "scanner": "repobility-threat-engine", "fingerprint": "d4e2374cf08b6b54176973345e54936ed03cd9865f5bf201f1e1cba69508f6a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d4e2374cf08b6b54176973345e54936ed03cd9865f5bf201f1e1cba69508f6a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/html-reporter/src/gantt.tsx"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 65827, "scanner": "repobility-threat-engine", "fingerprint": "27889287870c027ebebeea48f05f306b3fd71dd3dbeb30f791cdf11fe01d7ab5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|27889287870c027ebebeea48f05f306b3fd71dd3dbeb30f791cdf11fe01d7ab5", "aggregated_count": 42}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 65826, "scanner": "repobility-threat-engine", "fingerprint": "579fce1a5c6c399d993c30b5f44918a7b880a8cefe4887ca9a1a753dbd6fa3e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|579fce1a5c6c399d993c30b5f44918a7b880a8cefe4887ca9a1a753dbd6fa3e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/html-reporter/src/filter.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 65825, "scanner": "repobility-threat-engine", "fingerprint": "8e65a83a6233101db22869e570145739b41dee5903ecdfe7c013429fee37cf05", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e65a83a6233101db22869e570145739b41dee5903ecdfe7c013429fee37cf05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/html-reporter/src/chip.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 65824, "scanner": "repobility-threat-engine", "fingerprint": "8e9d18aaae00d4febfc3e6ce3ab0542fd09c588ed60c83d0fb376f5c024f213d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e9d18aaae00d4febfc3e6ce3ab0542fd09c588ed60c83d0fb376f5c024f213d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/extension/src/ui/icons.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 57 more): Same pattern found in 57 additional files. Review if needed."}, "properties": {"repobilityId": 65823, "scanner": "repobility-threat-engine", "fingerprint": "d05443f48868bc7fcb9a90b4a33fc57fdfc46aa42d7148498897d99c1b63b444", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 57 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d05443f48868bc7fcb9a90b4a33fc57fdfc46aa42d7148498897d99c1b63b444", "aggregated_count": 57}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 65822, "scanner": "repobility-threat-engine", "fingerprint": "0a24622123482e1b10cb591f6438bf19b4dd08a7221b21adf689d1af4e22fa82", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0a24622123482e1b10cb591f6438bf19b4dd08a7221b21adf689d1af4e22fa82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/injected/src/bindingsController.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 65821, "scanner": "repobility-threat-engine", "fingerprint": "130dff3e7734fa58dd98fed5076a2c7f22f71e3fdb17a2405ad7a65583b5270c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|130dff3e7734fa58dd98fed5076a2c7f22f71e3fdb17a2405ad7a65583b5270c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/html-reporter/src/index.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 65820, "scanner": "repobility-threat-engine", "fingerprint": "5039f664f97d0ae16eca3767934d8d8d8fb882b1a38dedea549325b08e4f1245", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5039f664f97d0ae16eca3767934d8d8d8fb882b1a38dedea549325b08e4f1245"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/extension/src/background.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 107 more): Same pattern found in 107 additional files. Review if needed."}, "properties": {"repobilityId": 65819, "scanner": "repobility-threat-engine", "fingerprint": "a28c8ac33e6d1d56ea3a9e1583c3a617b0d0571f19ceabdbf373b6d8c74d7eeb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 107 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a28c8ac33e6d1d56ea3a9e1583c3a617b0d0571f19ceabdbf373b6d8c74d7eeb", "aggregated_count": 107}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 65818, "scanner": "repobility-threat-engine", "fingerprint": "ee865ef1d8b1de01481f241ac0beaaa633e081810827c1b1d81a2922fffa0d1e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee865ef1d8b1de01481f241ac0beaaa633e081810827c1b1d81a2922fffa0d1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dashboard/src/transport.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 65817, "scanner": "repobility-threat-engine", "fingerprint": "df21a02d82923339ce244850d29dc00f842ee1c120ac91d4c90411fdc7907b2b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df21a02d82923339ce244850d29dc00f842ee1c120ac91d4c90411fdc7907b2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dashboard/src/dashboardClient.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 65816, "scanner": "repobility-threat-engine", "fingerprint": "7a9ae9c592ed8f72f95b57a04da49e14d01229b3c29c062edaf8c57a8b2b64d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a9ae9c592ed8f72f95b57a04da49e14d01229b3c29c062edaf8c57a8b2b64d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dashboard/src/annotationImage.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 65815, "scanner": "repobility-threat-engine", "fingerprint": "e825738ec7da8cc4c5fc1c7b1e2e5ecd54d2b285aea67b38e8160dd59e9efdd5", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e825738ec7da8cc4c5fc1c7b1e2e5ecd54d2b285aea67b38e8160dd59e9efdd5"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 75 more): Same pattern found in 75 additional files. Review if needed."}, "properties": {"repobilityId": 65811, "scanner": "repobility-threat-engine", "fingerprint": "c887220d33ea95a737099925153153f8c114299d62f8e8187b34debdd0fcf27a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 75 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c887220d33ea95a737099925153153f8c114299d62f8e8187b34debdd0fcf27a", "aggregated_count": 75}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 65810, "scanner": "repobility-threat-engine", "fingerprint": "40de52c5ea0a71a3b666b711163c1fff46424d50d1c670747a3d2ca5e16de325", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|40de52c5ea0a71a3b666b711163c1fff46424d50d1c670747a3d2ca5e16de325"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dashboard/src/annotationZip.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 65809, "scanner": "repobility-threat-engine", "fingerprint": "a77b834d626cd0929d0889d44adb1f661355237c78d5b405a00f19fc32fd42c7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a77b834d626cd0929d0889d44adb1f661355237c78d5b405a00f19fc32fd42c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dashboard/src/annotationImage.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 65808, "scanner": "repobility-threat-engine", "fingerprint": "d1574f0632347ad9be7d1ad33edafa2b40471d5783d93e170cdf90d5a0b3d5e7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1574f0632347ad9be7d1ad33edafa2b40471d5783d93e170cdf90d5a0b3d5e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dashboard/src/annotateView.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 65805, "scanner": "repobility-threat-engine", "fingerprint": "ebbcb3324a9c65a0756be9fc0fd2369fc4f40c3e49d97e3821cb1a10bbed389c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ebbcb3324a9c65a0756be9fc0fd2369fc4f40c3e49d97e3821cb1a10bbed389c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser_patches/firefox/juggler/screencast/nsScreencastService.cpp"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 65804, "scanner": "repobility-threat-engine", "fingerprint": "b62bb346719224b23d32119cf1b963e04a4425af5158f20ce0e00a8bed6376a2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b62bb346719224b23d32119cf1b963e04a4425af5158f20ce0e00a8bed6376a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser_patches/firefox/juggler/pipe/nsRemoteDebuggingPipe.cpp"}, "region": {"startLine": 91}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "properties": {"repobilityId": 65803, "scanner": "repobility-threat-engine", "fingerprint": "b10001b7872e3cbc73b6fc73271d28d497776ed4e591892f7963a1a57d4ab47c", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b10001b7872e3cbc73b6fc73271d28d497776ed4e591892f7963a1a57d4ab47c"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 49 more): Same pattern found in 49 additional files. Review if needed."}, "properties": {"repobilityId": 65799, "scanner": "repobility-threat-engine", "fingerprint": "78a697bdbaad0ebd43efa8d7116b1254fbadb2bbd064c26ba474f0748e609186", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 49 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|78a697bdbaad0ebd43efa8d7116b1254fbadb2bbd064c26ba474f0748e609186", "aggregated_count": 49}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65798, "scanner": "repobility-threat-engine", "fingerprint": "00ad8fbf7fe5cfb183fda30b9c532627fa1ec81650a080bf61de036771295cc8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|00ad8fbf7fe5cfb183fda30b9c532627fa1ec81650a080bf61de036771295cc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/webauthn/seed-credential.mjs"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65797, "scanner": "repobility-threat-engine", "fingerprint": "e84f84a1381418fdfbdfb57846e5b37d22e46c31e8b10875a03c8ee0cf7b875d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e84f84a1381418fdfbdfb57846e5b37d22e46c31e8b10875a03c8ee0cf7b875d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/webauthn/register-and-login.mjs"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65796, "scanner": "repobility-threat-engine", "fingerprint": "1a6770ee4e260fc14d9e16a5fc54e152bade1445dde4c3f7554243578520a7b8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a6770ee4e260fc14d9e16a5fc54e152bade1445dde4c3f7554243578520a7b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser_patches/firefox/juggler/ChannelEventSink.sys.mjs"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "properties": {"repobilityId": 65795, "scanner": "repobility-threat-engine", "fingerprint": "27d1ef029a7f705a2e39e77d9bd99d62c06281a6b0ecbbe0b60d99e9750be37d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 64 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 64 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|27d1ef029a7f705a2e39e77d9bd99d62c06281a6b0ecbbe0b60d99e9750be37d"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `packages/playwright-core/src/server/android/driver/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/playwright-core/src/server/android/driver/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (60,756 bytes) committed to a repo that otherwise has 1659 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 65987, "scanner": "repobility-supply-chain", "fingerprint": "e4a6842d8eb2eee5de5eab942d39629238a063ee4b7deb334ccf7211b348628f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4a6842d8eb2eee5de5eab942d39629238a063ee4b7deb334ccf7211b348628f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/android/driver/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65973, "scanner": "repobility-supply-chain", "fingerprint": "27d886f5b353cc8d4699132e07b6f724d3a4b2b857e1256dcd2b1ac49954aa73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27d886f5b353cc8d4699132e07b6f724d3a4b2b857e1256dcd2b1ac49954aa73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_extension.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `azure/login` pinned to mutable ref `@v3`: `uses: azure/login@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65972, "scanner": "repobility-supply-chain", "fingerprint": "328412dbacfbfa4eee7cc0059722e60f47329233666c64ac73406881e02dd258", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|328412dbacfbfa4eee7cc0059722e60f47329233666c64ac73406881e02dd258"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_docker.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `azure/login` pinned to mutable ref `@v3`: `uses: azure/login@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65971, "scanner": "repobility-supply-chain", "fingerprint": "812d1a60111b50e510b3c730cab0083ac032eb4cdc50d82141120df9d634f227", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|812d1a60111b50e510b3c730cab0083ac032eb4cdc50d82141120df9d634f227"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_docker.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65970, "scanner": "repobility-supply-chain", "fingerprint": "d67b0e62e56f3b03c7e196b62da654341c307df8cc32206a636ea09251d8f815", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d67b0e62e56f3b03c7e196b62da654341c307df8cc32206a636ea09251d8f815"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_docker.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65969, "scanner": "repobility-supply-chain", "fingerprint": "b8563a570422f0b383eaacde01ef96a8ae814c19ade6241c7dc93e9d461ea863", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8563a570422f0b383eaacde01ef96a8ae814c19ade6241c7dc93e9d461ea863"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_docker.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65968, "scanner": "repobility-supply-chain", "fingerprint": "841f29426ff9daa5c9ae2b1ac5af81e333ad0b8b32f161ab6734c4c3533a6ac9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|841f29426ff9daa5c9ae2b1ac5af81e333ad0b8b32f161ab6734c4c3533a6ac9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65967, "scanner": "repobility-supply-chain", "fingerprint": "85f40a5637b703e63f32e69144e12b38502f3d978c728f63b993b05b39218adf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85f40a5637b703e63f32e69144e12b38502f3d978c728f63b993b05b39218adf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65966, "scanner": "repobility-supply-chain", "fingerprint": "fbb99b05b5adafb52414ecb0f0b6c0a59cb04c70fc0d8f361036af3167f64739", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fbb99b05b5adafb52414ecb0f0b6c0a59cb04c70fc0d8f361036af3167f64739"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_check_client_side_changes.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3`: `uses: actions/create-github-app-token@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65965, "scanner": "repobility-supply-chain", "fingerprint": "02a459d8efeb8f8f520b2fe68e6694686a3d07c534efc27a08e7f735cc797ae0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02a459d8efeb8f8f520b2fe68e6694686a3d07c534efc27a08e7f735cc797ae0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_check_client_side_changes.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65964, "scanner": "repobility-supply-chain", "fingerprint": "e1a8d1d7e0d5e6e6b4dc99291e9b58b89dba3a704738e4754fa6335c59b0c5db", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1a8d1d7e0d5e6e6b4dc99291e9b58b89dba3a704738e4754fa6335c59b0c5db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_check_client_side_changes.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65963, "scanner": "repobility-supply-chain", "fingerprint": "b932a01f5a9ae5408ebc004f6261bda20743f234b0b452f82c2c49b38b268148", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b932a01f5a9ae5408ebc004f6261bda20743f234b0b452f82c2c49b38b268148"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_components.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65962, "scanner": "repobility-supply-chain", "fingerprint": "ba1685f2f064d9fb20b708f04ad69a9d03f19dc2b0796530ba5f70d2b07c7cd9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba1685f2f064d9fb20b708f04ad69a9d03f19dc2b0796530ba5f70d2b07c7cd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_components.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65961, "scanner": "repobility-supply-chain", "fingerprint": "10bf198ab26e7d6b6440c175362fde0f56d74e05512c2ca3610207beb5be1f36", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10bf198ab26e7d6b6440c175362fde0f56d74e05512c2ca3610207beb5be1f36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/roll_nodejs.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3`: `uses: actions/create-github-app-token@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65960, "scanner": "repobility-supply-chain", "fingerprint": "a39c6ad2a428df7fdc0775d80d8131a4985f5e387f4378c3d4b6b5a4d70bb40d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a39c6ad2a428df7fdc0775d80d8131a4985f5e387f4378c3d4b6b5a4d70bb40d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/roll_nodejs.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65959, "scanner": "repobility-supply-chain", "fingerprint": "38fdd7f7080e20eb0d2823f80f3e3e80fdd3206b6feb009dc61c44c66e7323bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38fdd7f7080e20eb0d2823f80f3e3e80fdd3206b6feb009dc61c44c66e7323bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/roll_nodejs.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65958, "scanner": "repobility-supply-chain", "fingerprint": "2b570a59659627a3db0cc50df0f79ba09a9151d435b950e96653c7659edf3f87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b570a59659627a3db0cc50df0f79ba09a9151d435b950e96653c7659edf3f87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/roll_nodejs.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65954, "scanner": "repobility-supply-chain", "fingerprint": "b8b413db534d7fd5784a3aa09803e9660320caf144f773a21f6e6db6e401004a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8b413db534d7fd5784a3aa09803e9660320caf144f773a21f6e6db6e401004a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_mcp.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65944, "scanner": "repobility-supply-chain", "fingerprint": "aec4d150cd11d1b5f3ed2ae0f4fe5856b56c64c5630d267dc2d535cb29cd2d5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aec4d150cd11d1b5f3ed2ae0f4fe5856b56c64c5630d267dc2d535cb29cd2d5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65943, "scanner": "repobility-supply-chain", "fingerprint": "f5a6a1557a2608f46da12354e57f1f93348f068ad87c909e0dad15bd92670e29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5a6a1557a2608f46da12354e57f1f93348f068ad87c909e0dad15bd92670e29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65942, "scanner": "repobility-supply-chain", "fingerprint": "9a16178ed4071c29b53701e282a796dd40633b185a9c683dba67367034333f56", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a16178ed4071c29b53701e282a796dd40633b185a9c683dba67367034333f56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `azure/login` pinned to mutable ref `@v3`: `uses: azure/login@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65941, "scanner": "repobility-supply-chain", "fingerprint": "9d0f599bb8fd025d7de5f89b8bdbb03a4b900c283fe0e625a60ced9f131e4e8e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d0f599bb8fd025d7de5f89b8bdbb03a4b900c283fe0e625a60ced9f131e4e8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish_release_docker.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65940, "scanner": "repobility-supply-chain", "fingerprint": "7a2beb4c2612782af32d8a8eb9720be2616d4bdb458dc355b2b8ccd36fa1edfb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a2beb4c2612782af32d8a8eb9720be2616d4bdb458dc355b2b8ccd36fa1edfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish_release_docker.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65939, "scanner": "repobility-supply-chain", "fingerprint": "4ad9dac8acaa389bc5d790dc775587c2f273006176ecd077bfa032413c2ed0a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ad9dac8acaa389bc5d790dc775587c2f273006176ecd077bfa032413c2ed0a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish_release_docker.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65938, "scanner": "repobility-supply-chain", "fingerprint": "cd74369821c89e5d64eed42da3117dbc78c924da64a8980fac603897002fd893", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd74369821c89e5d64eed42da3117dbc78c924da64a8980fac603897002fd893"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/todomvc/.github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 65937, "scanner": "repobility-supply-chain", "fingerprint": "6026dadf2b196122ddb026789b397fa3d6accfe862956e37dcf09bc7beb7dbdc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6026dadf2b196122ddb026789b397fa3d6accfe862956e37dcf09bc7beb7dbdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/todomvc/.github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:noble` not pinned by digest: `FROM ubuntu:noble` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 65936, "scanner": "repobility-supply-chain", "fingerprint": "1094e41b955f0ca3a1bace9748cb412b1f449f1f137fd10e1b3d2e894103765c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1094e41b955f0ca3a1bace9748cb412b1f449f1f137fd10e1b3d2e894103765c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile.noble"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:jammy` not pinned by digest: `FROM ubuntu:jammy` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 65935, "scanner": "repobility-supply-chain", "fingerprint": "b537e92ed90ccc6db3056fb751726ec24c1bacbd946f5f71df8aa4a2a7fdad72", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b537e92ed90ccc6db3056fb751726ec24c1bacbd946f5f71df8aa4a2a7fdad72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/docker/Dockerfile.jammy"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 65927, "scanner": "repobility-journey-contract", "fingerprint": "0030281c37b65f6e2cf8c9c7003077ab22fbee9c8f3438932228c00eab8d5aad", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|5|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/assets/screenshots/controls.html"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 65884, "scanner": "repobility-threat-engine", "fingerprint": "d24b6f4c66d6c4f0f51098524f840d915320e2b7b224dc67e496343616d3abe6", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "xml2js.parseString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d24b6f4c66d6c4f0f51098524f840d915320e2b7b224dc67e496343616d3abe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/generate_chromium_default_font_families.js"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65878, "scanner": "repobility-threat-engine", "fingerprint": "7991674b84fd07a1c18f4882bd177a908570f74e2547ae779db971a642d51da6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7991674b84fd07a1c18f4882bd177a908570f74e2547ae779db971a642d51da6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/ansi2html.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65877, "scanner": "repobility-threat-engine", "fingerprint": "538fe4a2004375752176e4fd237b7a9c3efebccfb5b83b955a1803c6de2c7b77", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(messageFormat", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|538fe4a2004375752176e4fd237b7a9c3efebccfb5b83b955a1803c6de2c7b77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/trace-viewer/src/ui/consoleTab.tsx"}, "region": {"startLine": 223}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65876, "scanner": "repobility-threat-engine", "fingerprint": "27df819e1512e719cf3161e978cb77cbda7e68a9019329781803332c12fa571f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(titleFormat", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|27df819e1512e719cf3161e978cb77cbda7e68a9019329781803332c12fa571f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/trace-viewer/src/ui/actionList.tsx"}, "region": {"startLine": 182}}}]}, {"ruleId": "SEC038", "level": "error", "message": {"text": "[SEC038] HTTP Request Smuggling Risk \u2014 TE/CL mismatch: HTTP Request Smuggling (HRS) abuses parser disagreement between front-end and back-end servers about request boundaries when Transfer-Encoding and Content-Length both present. Attackers smuggle a second request, stealing other users' responses or bypassing auth. CWE-444. Real CVEs: CVE-2019-16276 (Go net/http), CVE-2020-10719 (Undertow), CVE-2022-24735 (Redis-7), Cloudflare/Akamai/Varnish disclosures."}, "properties": {"repobilityId": 65870, "scanner": "repobility-threat-engine", "fingerprint": "7c1dd66558eee15abd7c0a90fb51407b79e80a3b3daa3c3837de375c80ad37a7", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "headers['transfer-encoding'] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC038", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|78|sec038"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/registry/oopDownloadBrowserMain.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 65869, "scanner": "repobility-threat-engine", "fingerprint": "0509493a242a1d5f6e1fc84936daa56aa360ceeac09f269aa4d4a13033c2f3db", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(documentationRoot, 'api', 'params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|39|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/render_release_notes.mjs"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 65868, "scanner": "repobility-threat-engine", "fingerprint": "939e6a7ee6901e3ba9783ca49c5523efc9d8a6c3d04f2e5eb2610c7154b96b56", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(ROOT, 'packages', 'injected', 'src', 'webview', 'webViewInput", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|utils/generate_injected.js|78|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "utils/generate_injected.js"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 65867, "scanner": "repobility-threat-engine", "fingerprint": "6ba2fb2b10a322944f86881c7ca0cc57f5787ea249ec762dd3e8b19908523301", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(params.tracesDir || tmpDir!, params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|219|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/localUtils.ts"}, "region": {"startLine": 219}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 65865, "scanner": "repobility-threat-engine", "fingerprint": "e9cec1a8aab7cba468dc5295ebc08b4c2905cb3ed916db16055eaa9da87556cc", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(params: channels.LocalUtilsHarOpenParams", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|58|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/dispatchers/localUtilsDispatcher.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 65864, "scanner": "repobility-threat-engine", "fingerprint": "bb6fd9a427ceb8a1c4efb2e5ecb4ab9720146c50cc2debaf6fad05c893035c19", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(params: channels.AndroidDevicePinchOpenParams", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|95|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/dispatchers/androidDispatcher.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 65863, "scanner": "repobility-threat-engine", "fingerprint": "d11f229a08d52101a1218db6216bd4e7cacd3112d6bf6d9759be19a79bc862d2", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(params: channels.LocalUtilsHarOpenParams", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|46|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/client/localUtils.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 65858, "scanner": "repobility-threat-engine", "fingerprint": "521f7a97f00f379a483a4b55e92284afa3fce0b9f7c44733d73c8818bc7f8551", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|521f7a97f00f379a483a4b55e92284afa3fce0b9f7c44733d73c8818bc7f8551"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/server/webkit/webview/dialogBridge.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 65857, "scanner": "repobility-threat-engine", "fingerprint": "b9cd25f974eb7b76f7d40d23c0d0a1bcf54920376fa5c16f6d8c01345f139bd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b9cd25f974eb7b76f7d40d23c0d0a1bcf54920376fa5c16f6d8c01345f139bd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/snapshotServer.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 65855, "scanner": "repobility-threat-engine", "fingerprint": "3b00168cf59102f6adf9fced82a3b4e271f718dd28ddb5aab382903d8a14e3fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b00168cf59102f6adf9fced82a3b4e271f718dd28ddb5aab382903d8a14e3fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/traceLoader.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 65854, "scanner": "repobility-threat-engine", "fingerprint": "da646aa27164c678efb4ac9a0f054327eb77d681d50ee9547c263ec5a18db558", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da646aa27164c678efb4ac9a0f054327eb77d681d50ee9547c263ec5a18db558"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/snapshotServer.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 65853, "scanner": "repobility-threat-engine", "fingerprint": "864a76b4047168232fef989c0e4036ccfb3fc4be919417aa2a95468767f15546", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|864a76b4047168232fef989c0e4036ccfb3fc4be919417aa2a95468767f15546"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/trace/entries.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 65849, "scanner": "repobility-threat-engine", "fingerprint": "14f56e12ed38b93bdfc002e4f52bfa0e2c9ec7fbecffb9127e0998535bf5b110", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(value", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|14f56e12ed38b93bdfc002e4f52bfa0e2c9ec7fbecffb9127e0998535bf5b110"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/rtti.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 65848, "scanner": "repobility-threat-engine", "fingerprint": "669055e3fc383e010e4715357388090250a18431bfbc25a7ed7cabe64d2d3514", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(param", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|669055e3fc383e010e4715357388090250a18431bfbc25a7ed7cabe64d2d3514"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/locatorParser.ts"}, "region": {"startLine": 206}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 65847, "scanner": "repobility-threat-engine", "fingerprint": "61ae0fbda384144477efac601592c86aef74a8493ac67c3b95ea4ea4db384ffe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|61ae0fbda384144477efac601592c86aef74a8493ac67c3b95ea4ea4db384ffe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/jsonSchema.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 65834, "scanner": "repobility-threat-engine", "fingerprint": "efe50552f668497139a4a38f2044e60a85c3907e185322aa38d03e5e17df2a7c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k}: ${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|efe50552f668497139a4a38f2044e60a85c3907e185322aa38d03e5e17df2a7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/tools/backend/network.ts"}, "region": {"startLine": 243}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 65833, "scanner": "repobility-threat-engine", "fingerprint": "d5ff144964b1cf2f4192fe777bffa718f052f3ba0600ed95ec8a88907f25ef68", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([n, v]) => `[${n}=${v}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d5ff144964b1cf2f4192fe777bffa718f052f3ba0600ed95ec8a88907f25ef68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/isomorphic/locatorUtils.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 65832, "scanner": "repobility-threat-engine", "fingerprint": "cdf9516e0dad1ec5caa66a1223c4fd37072e39f6574ce20c2874f234db593992", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((a, i) => `trace=${new URL(a.path!, window.location.href)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cdf9516e0dad1ec5caa66a1223c4fd37072e39f6574ce20c2874f234db593992"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/html-reporter/src/links.tsx"}, "region": {"startLine": 184}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65814, "scanner": "repobility-threat-engine", "fingerprint": "7924024504687f233738ae5ada11f48f43dbe64ec799698ea074b9956116a7fd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7924024504687f233738ae5ada11f48f43dbe64ec799698ea074b9956116a7fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/extension/src/background.ts"}, "region": {"startLine": 134}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65813, "scanner": "repobility-threat-engine", "fingerprint": "300c5b3ffe66239067be2e7398e3417fe3776c608f48632e64439f80e5f8c335", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|300c5b3ffe66239067be2e7398e3417fe3776c608f48632e64439f80e5f8c335"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dashboard/src/sessionSidebar.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 65812, "scanner": "repobility-threat-engine", "fingerprint": "80eada4232635c35bf8a9d91b86f490de47b8fbd572645a70a8ea8932f806187", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80eada4232635c35bf8a9d91b86f490de47b8fbd572645a70a8ea8932f806187"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dashboard/src/annotationImage.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 65807, "scanner": "repobility-threat-engine", "fingerprint": "9b10fd5f77484cc298d35a21aef329f6abae2612aaa65dd59f868705fbc3d4f7", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|173|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/web/src/components/codeMirrorWrapper.tsx"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 65806, "scanner": "repobility-threat-engine", "fingerprint": "3065ce497a0024493ad5d46817b7495cc3c12837d25e160796213ef956c38a79", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|44|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/mock-battery/demo-battery-api/src/index.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65794, "scanner": "repobility-threat-engine", "fingerprint": "de3224130904059147b289546658792bfc00fc8506f87d34b7536e37ac96ddac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this._pendingMessages.delete(messageId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de3224130904059147b289546658792bfc00fc8506f87d34b7536e37ac96ddac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser_patches/firefox/juggler/SimpleChannel.js"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65793, "scanner": "repobility-threat-engine", "fingerprint": "cd8ab4c1889f898f824db1d912363d8dbeb46cf0d7995e4faf4bfc64b2e8cb4c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this._pendingEventWatchers.delete(this);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd8ab4c1889f898f824db1d912363d8dbeb46cf0d7995e4faf4bfc64b2e8cb4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser_patches/firefox/juggler/Helper.js"}, "region": {"startLine": 228}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 65792, "scanner": "repobility-threat-engine", "fingerprint": "932766b65d18b07a5c7e5421526737f44f97a873d4ea03f508d8d72227afaf41", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.collectors.delete(collector);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|932766b65d18b07a5c7e5421526737f44f97a873d4ea03f508d8d72227afaf41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser_patches/firefox/juggler/ChannelEventSink.sys.mjs"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65986, "scanner": "repobility-supply-chain", "fingerprint": "75f389c589cb678b37c01368ff49a320fccc11331df88f3bc3288f647a9482d4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|75f389c589cb678b37c01368ff49a320fccc11331df88f3bc3288f647a9482d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_secondary.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65985, "scanner": "repobility-supply-chain", "fingerprint": "a066450bd2e79e03b9ceec2d4379f1db5b0265e045b083359abc9c8285d6e41e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a066450bd2e79e03b9ceec2d4379f1db5b0265e045b083359abc9c8285d6e41e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_primary.yml"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65984, "scanner": "repobility-supply-chain", "fingerprint": "61baa51f35cac6f9a3ed3b447f0a27bb9a533edfb4be77dacaab0c2a6faa61be", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61baa51f35cac6f9a3ed3b447f0a27bb9a533edfb4be77dacaab0c2a6faa61be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_primary.yml"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65983, "scanner": "repobility-supply-chain", "fingerprint": "9af82b66ba72af2dcb96dd3935c19a02c5190b801b948d1980b1bc83c3b67419", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9af82b66ba72af2dcb96dd3935c19a02c5190b801b948d1980b1bc83c3b67419"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_primary.yml"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65982, "scanner": "repobility-supply-chain", "fingerprint": "bccee693068ea96aea79f0428bd6ab8771e758175d29c1bb1e6e38561725a63c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bccee693068ea96aea79f0428bd6ab8771e758175d29c1bb1e6e38561725a63c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_primary.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65981, "scanner": "repobility-supply-chain", "fingerprint": "25f16ddcb8ca2fcc38a2a718b3e78f47963532d98b25bf816a1dade0a33a9e6e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25f16ddcb8ca2fcc38a2a718b3e78f47963532d98b25bf816a1dade0a33a9e6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_primary.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65980, "scanner": "repobility-supply-chain", "fingerprint": "9a1cd3f82a5219fd226e91e5f47d2617e2df5cbe8db232291e43a5864de8439e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a1cd3f82a5219fd226e91e5f47d2617e2df5cbe8db232291e43a5864de8439e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_primary.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65979, "scanner": "repobility-supply-chain", "fingerprint": "140c9c77c5e459426a812353144398d5b1c1f792789827b49a8e976b4d05f6a2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|140c9c77c5e459426a812353144398d5b1c1f792789827b49a8e976b4d05f6a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_primary.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65978, "scanner": "repobility-supply-chain", "fingerprint": "6dc925e25a22fb09f404b0209a81685928d5e133de1fbd28fa341f66944a5fa4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6dc925e25a22fb09f404b0209a81685928d5e133de1fbd28fa341f66944a5fa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_primary.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65977, "scanner": "repobility-supply-chain", "fingerprint": "f4221729f92052eafa03f9fb61e453901eed1d502241e220a98bf74411f1c3b7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4221729f92052eafa03f9fb61e453901eed1d502241e220a98bf74411f1c3b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_primary.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_BLOB_REPORTS_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_BLOB_REPORTS_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65976, "scanner": "repobility-supply-chain", "fingerprint": "f87edd6cee7a2a0dc93002785bfa2bb6a2bf5c89f89573d8190f9780359a1c29", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f87edd6cee7a2a0dc93002785bfa2bb6a2bf5c89f89573d8190f9780359a1c29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_bidi.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_BLOB_REPORTS_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_BLOB_REPORTS_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65975, "scanner": "repobility-supply-chain", "fingerprint": "fe39158523fd712e2eead9df9c4fcb96b475bc92555704616055502ee2aa0868", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe39158523fd712e2eead9df9c4fcb96b475bc92555704616055502ee2aa0868"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_bidi.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_BLOB_REPORTS_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_BLOB_REPORTS_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65974, "scanner": "repobility-supply-chain", "fingerprint": "fe3d5df51eced747f9989370790eb3d06194a5081b6b6e8944cfd16843accbad", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe3d5df51eced747f9989370790eb3d06194a5081b6b6e8944cfd16843accbad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_bidi.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65957, "scanner": "repobility-supply-chain", "fingerprint": "3527184a43441dfc63e949fa1f118241a0470571e3d91444d4d864859ef357dd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3527184a43441dfc63e949fa1f118241a0470571e3d91444d4d864859ef357dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_mcp.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65956, "scanner": "repobility-supply-chain", "fingerprint": "38a565df4d4973457b1f0a3fcc699cb97e37a72b9978e7f7aeec73e54abbdc71", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38a565df4d4973457b1f0a3fcc699cb97e37a72b9978e7f7aeec73e54abbdc71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_mcp.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65955, "scanner": "repobility-supply-chain", "fingerprint": "2d447410d1cf711f2e1fb93fb1230c33e5e13215af8628ec73f9fc133250befb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d447410d1cf711f2e1fb93fb1230c33e5e13215af8628ec73f9fc133250befb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_mcp.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65953, "scanner": "repobility-supply-chain", "fingerprint": "0adac3832dafa3b34f2cb9ed7e19111e5c7e5aa8e57e0f09f1bf5d33d63b2f47", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0adac3832dafa3b34f2cb9ed7e19111e5c7e5aa8e57e0f09f1bf5d33d63b2f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65952, "scanner": "repobility-supply-chain", "fingerprint": "4f80be351bb381234a46d8086aa1146ba6ae013ebb0182c451cfa2b3e192a463", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f80be351bb381234a46d8086aa1146ba6ae013ebb0182c451cfa2b3e192a463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65951, "scanner": "repobility-supply-chain", "fingerprint": "1cc86dd7ef93c15227acf247b5f0f1deb3b2b46fd4282e7f73196851eedd5fbc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1cc86dd7ef93c15227acf247b5f0f1deb3b2b46fd4282e7f73196851eedd5fbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65950, "scanner": "repobility-supply-chain", "fingerprint": "a765fc753b082efeea518e5433616662a3411e6c44194ff25415a650ee87de3d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a765fc753b082efeea518e5433616662a3411e6c44194ff25415a650ee87de3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65949, "scanner": "repobility-supply-chain", "fingerprint": "72669ed844ec19c379dfff9a72204901ffc4076947350cd4e3fe9d559cdc48da", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72669ed844ec19c379dfff9a72204901ffc4076947350cd4e3fe9d559cdc48da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65948, "scanner": "repobility-supply-chain", "fingerprint": "ae5b09ea3886f00a6a314586fa373b74165813c91947face28da98cb04a7f59e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae5b09ea3886f00a6a314586fa373b74165813c91947face28da98cb04a7f59e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_SUBSCRIPTION_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65947, "scanner": "repobility-supply-chain", "fingerprint": "fa034b49f01664e01b65dc34d48c18927c67c8440ffa7210e3231bb51a8ca43b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa034b49f01664e01b65dc34d48c18927c67c8440ffa7210e3231bb51a8ca43b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65946, "scanner": "repobility-supply-chain", "fingerprint": "65a4bf5318b68a94b2ef3fe68abd1a235e7d1845419bfaa4bad33a643b1e9d58", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65a4bf5318b68a94b2ef3fe68abd1a235e7d1845419bfaa4bad33a643b1e9d58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_FLAKINESS_DASHBOARD_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 65945, "scanner": "repobility-supply-chain", "fingerprint": "70c22a1fedc1172c3e25f665a22f772dfc8098b17a80d8149cc7defbb7fa6a6d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70c22a1fedc1172c3e25f665a22f772dfc8098b17a80d8149cc7defbb7fa6a6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests_others.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 65875, "scanner": "repobility-threat-engine", "fingerprint": "6a6bf2d39cbdc7061c5538f0e31b3c51ea75e29b0e13146839571248d68ad08b", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a6bf2d39cbdc7061c5538f0e31b3c51ea75e29b0e13146839571248d68ad08b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-ct-vue/registerSource.mjs"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 65859, "scanner": "repobility-threat-engine", "fingerprint": "75edc6ebe396cda7f664bbe45796cf9913eb26b34c110e3fe6e720546ebab2ee", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(descriptor", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|75edc6ebe396cda7f664bbe45796cf9913eb26b34c110e3fe6e720546ebab2ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/tools/utils/connect.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 65844, "scanner": "repobility-threat-engine", "fingerprint": "4e34fd1eb143acc98732e7d2fa2ac2345f6f9a0dbfd9e5fcb5457c4fa094926c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4e34fd1eb143acc98732e7d2fa2ac2345f6f9a0dbfd9e5fcb5457c4fa094926c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/playwright-core/src/tools/backend/evaluate.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 65843, "scanner": "repobility-threat-engine", "fingerprint": "d9ee817b11cf45a6c9a80716810c3ed080d0fb463e9efcfb64ce29dfab7f2a52", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9ee817b11cf45a6c9a80716810c3ed080d0fb463e9efcfb64ce29dfab7f2a52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/injected/src/utilityScript.ts"}, "region": {"startLine": 73}}}]}]}]}