{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 8 (SonarSource scale). Cognitive complexit", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.", "shortDescription": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED092", "name": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection.", "shortDescription": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.", "shortDescription": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.", "shortDescription": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.", "shortDescription": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `generators/java/generator-utils/src/main/resources/gradle-wrapper/gradle/wrapper/gradle-wrapper.", "shortDescription": {"text": "[MINED134] Binary file `generators/java/generator-utils/src/main/resources/gradle-wrapper/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `generators/java/generator-utils/src/main/resources/gradle-wrapper/gradle/wrapper/gradle-"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24.16-alpine3.23` not pinned by digest: `FROM node:24.16-alpine3.23` resolves the tag a", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24.16-alpine3.23` not pinned by digest: `FROM node:24.16-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Prod"}, "fullDescription": {"text": "Replace with: `FROM node:24.16-alpine3.23@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "[MINED131] pre-commit hook `https://github.com/python-poetry/poetry` pinned to mutable rev `1.2`: `.pre-commit-config.ya", "shortDescription": {"text": "[MINED131] pre-commit hook `https://github.com/python-poetry/poetry` pinned to mutable rev `1.2`: `.pre-commit-config.yaml` references `https://github.com/python-poetry/poetry` at `rev: 1.2`. If `{rev}` is a branch or version tag, the repo "}, "fullDescription": {"text": "Pin to a commit SHA: `rev: <40-char-sha>` and bump it through `pre-commit autoupdate` (which writes to PRs that are reviewed)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test__create_tree: Test function `test__create_tree` runs code but contains no assert ", "shortDescription": {"text": "[MINED106] Phantom test coverage: test__create_tree: Test function `test__create_tree` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.get_base_url` used but never assigned in __init__: Method `stream` of class `HttpClient` reads `self.ge", "shortDescription": {"text": "[MINED108] `self.get_base_url` used but never assigned in __init__: Method `stream` of class `HttpClient` reads `self.get_base_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the fi"}, "fullDescription": {"text": "Initialize `self.get_base_url = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR015", "name": "Docker build context is very large", "shortDescription": {"text": "Docker build context is very large"}, "fullDescription": {"text": "Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC111", "name": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Cal", "shortDescription": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "fullDescription": {"text": "Use `django.utils.html.format_html(\"<p>{}</p>\", user_input)` \u2014 Django will escape the placeholder. Or escape explicitly with `django.utils.html.escape()`. Only use `mark_safe` on string literals."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED026", "name": "[MINED026] Fake Verification: assert True, expect(1).toBe(1), or other tautology used to fake passing tests.", "shortDescription": {"text": "[MINED026] Fake Verification: assert True, expect(1).toBe(1), or other tautology used to fake passing tests."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1126 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.", "shortDescription": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.AUTH0_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.AUTH0_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AUTH0_CLIENT_ID }` lets a PR from any fork exfiltrate the se"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1305"}, "properties": {"repository": "fern-api/fern", "repoUrl": "https://github.com/fern-api/fern", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133492, "scanner": "repobility-ast-engine", "fingerprint": "026d78371f6850864c600d7bec4e8c897d1b1f78032fcefdd2211f03db373e06", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|026d78371f6850864c600d7bec4e8c897d1b1f78032fcefdd2211f03db373e06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133491, "scanner": "repobility-ast-engine", "fingerprint": "3baac070f2a18994dd5dbb4d857fbd32d722c83af3843016e7755030798ee603", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3baac070f2a18994dd5dbb4d857fbd32d722c83af3843016e7755030798ee603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/basic-auth/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133490, "scanner": "repobility-ast-engine", "fingerprint": "c6135403a9a705c4fcf100eb4f4b40210fc382b511779293eccb0e2a5d37b2aa", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c6135403a9a705c4fcf100eb4f4b40210fc382b511779293eccb0e2a5d37b2aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/basic-auth/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133489, "scanner": "repobility-ast-engine", "fingerprint": "e9c46e1c97f1f26ead8279273dc8cb254f6299878a17a842f3452ce443feb01d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e9c46e1c97f1f26ead8279273dc8cb254f6299878a17a842f3452ce443feb01d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/inferred-auth-implicit-reference/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133488, "scanner": "repobility-ast-engine", "fingerprint": "f2279fd1ead0e3639ba7bf530e87842733da85c7464d3288f4cd677bb2c3dcf6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f2279fd1ead0e3639ba7bf530e87842733da85c7464d3288f4cd677bb2c3dcf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/inferred-auth-implicit-reference/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133487, "scanner": "repobility-ast-engine", "fingerprint": "4a5e373f53e85e6401b637676b97bed1a2615e39de62966c87978aaf78969be6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4a5e373f53e85e6401b637676b97bed1a2615e39de62966c87978aaf78969be6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/undiscriminated-union-with-response-property/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133486, "scanner": "repobility-ast-engine", "fingerprint": "63d98671928fb463fffbae387943ce2f1099fdc7459dae2f10327ad739f4b71f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|63d98671928fb463fffbae387943ce2f1099fdc7459dae2f10327ad739f4b71f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/undiscriminated-union-with-response-property/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133485, "scanner": "repobility-ast-engine", "fingerprint": "ae2147e78200b7b3839540a74394dc4fe1e115db74fd91b8fa24dc60c50f9313", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae2147e78200b7b3839540a74394dc4fe1e115db74fd91b8fa24dc60c50f9313"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/oauth-client-credentials-openapi/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133484, "scanner": "repobility-ast-engine", "fingerprint": "a0b7881302d1adde80f7d136544dc47ebe5ec0366461ec9705c0177af6b99357", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a0b7881302d1adde80f7d136544dc47ebe5ec0366461ec9705c0177af6b99357"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/oauth-client-credentials-openapi/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133483, "scanner": "repobility-ast-engine", "fingerprint": "e8dfe543a3d9622d89c726fd1e2541c47c7521b690b0ec0bb9b2eb06904809be", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e8dfe543a3d9622d89c726fd1e2541c47c7521b690b0ec0bb9b2eb06904809be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/url-form-encoded/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133482, "scanner": "repobility-ast-engine", "fingerprint": "0ca59ca5ffb92ee5f61238b7a4ca0e3c920baf7fc3a7b4aa5e8a96b70240c93c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ca59ca5ffb92ee5f61238b7a4ca0e3c920baf7fc3a7b4aa5e8a96b70240c93c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/url-form-encoded/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133481, "scanner": "repobility-ast-engine", "fingerprint": "5cf0db5d58710cebacff17d47fd0fc98b515400b9ea1a38e85a00dc03753015c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cf0db5d58710cebacff17d47fd0fc98b515400b9ea1a38e85a00dc03753015c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/error-property/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133480, "scanner": "repobility-ast-engine", "fingerprint": "4198ad54ce0b5181b4989162301067d44b52e2e8ea65154ceeeea3e793dd201a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4198ad54ce0b5181b4989162301067d44b52e2e8ea65154ceeeea3e793dd201a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/error-property/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133479, "scanner": "repobility-ast-engine", "fingerprint": "bb1d77d98ed6fdaf4c739549e3c80243af737170e5441aa01c6317c507bbb6f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bb1d77d98ed6fdaf4c739549e3c80243af737170e5441aa01c6317c507bbb6f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/query-parameters-openapi/no-custom-config/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133478, "scanner": "repobility-ast-engine", "fingerprint": "c4cacf25e4f6d1698eadf94eec07e23a6ff20fe652ffbc6381b67e6365f0c994", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c4cacf25e4f6d1698eadf94eec07e23a6ff20fe652ffbc6381b67e6365f0c994"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/query-parameters-openapi/no-custom-config/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133477, "scanner": "repobility-ast-engine", "fingerprint": "a51464626adad00da89a6bbe74bf54120d1699ba542fde8430187f25a81664ba", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a51464626adad00da89a6bbe74bf54120d1699ba542fde8430187f25a81664ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/python-streaming-parameter-openapi/with-wire-tests/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133476, "scanner": "repobility-ast-engine", "fingerprint": "b09ac46fde1e76926855c846067f61c9f2d2c602cbe42b3d463d22442cb93884", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b09ac46fde1e76926855c846067f61c9f2d2c602cbe42b3d463d22442cb93884"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/python-streaming-parameter-openapi/with-wire-tests/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133475, "scanner": "repobility-ast-engine", "fingerprint": "4ca58cf337b251eff3491be3faf88209950eabd437d72ceea358c4b05585797a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4ca58cf337b251eff3491be3faf88209950eabd437d72ceea358c4b05585797a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/python-streaming-parameter-openapi/with-wire-tests/src/seed/raw_client.py"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133474, "scanner": "repobility-ast-engine", "fingerprint": "d4ba78014066b9a0bf15f26bb1b349792fcb27c707ada084a9489c6486032c3e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d4ba78014066b9a0bf15f26bb1b349792fcb27c707ada084a9489c6486032c3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/python-streaming-parameter-openapi/with-wire-tests/src/seed/raw_client.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133471, "scanner": "repobility-ast-engine", "fingerprint": "832751ffd5a1127338cf857db6b025135eeb895e812bff1e0f65424abafe4796", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|832751ffd5a1127338cf857db6b025135eeb895e812bff1e0f65424abafe4796"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/union-query-parameters/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133470, "scanner": "repobility-ast-engine", "fingerprint": "fe90fef5b954f810882159d9104588b6598ac4234aa1954a7adc06300fffb701", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe90fef5b954f810882159d9104588b6598ac4234aa1954a7adc06300fffb701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/union-query-parameters/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133465, "scanner": "repobility-ast-engine", "fingerprint": "97cbd4f52ba549d13869d58fe138225bfea0e0ff9b2992b7c527078e979975d8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|97cbd4f52ba549d13869d58fe138225bfea0e0ff9b2992b7c527078e979975d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/nullable-request-body/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133464, "scanner": "repobility-ast-engine", "fingerprint": "d88e38774ec86042c4c4bf007f39cd27a83f4d8c4ee31a369362ee7741e11a46", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d88e38774ec86042c4c4bf007f39cd27a83f4d8c4ee31a369362ee7741e11a46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/nullable-request-body/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133461, "scanner": "repobility-ast-engine", "fingerprint": "8db1613b12a95e30c0ef651b4db763e1e4d8612532ef7291538d48a041b7d820", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8db1613b12a95e30c0ef651b4db763e1e4d8612532ef7291538d48a041b7d820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/src/seed/core/jsonable_encoder.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 133460, "scanner": "repobility-ast-engine", "fingerprint": "f5efbbe82374e3c1b1f402e031d0850b7a527026f28168811d2a741a4bf6f446", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f5efbbe82374e3c1b1f402e031d0850b7a527026f28168811d2a741a4bf6f446"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/src/seed/core/pydantic_utilities.py"}, "region": {"startLine": 500}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 133434, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133433, "scanner": "repobility-docker", "fingerprint": "69949a6316d6bc6833a59d54a37a9eeeb8dd963832f79444d65087a8fbb5d28d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.14.9", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|69949a6316d6bc6833a59d54a37a9eeeb8dd963832f79444d65087a8fbb5d28d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/generation/local-generation/docker-utils/src/__test__/resources/basic-writer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133432, "scanner": "repobility-docker", "fingerprint": "c8da9d7e13950287e9dcf9fe323abf6c2b88144a29be22a238d0773d99583fcc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c8da9d7e13950287e9dcf9fe323abf6c2b88144a29be22a238d0773d99583fcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/typescript/sdk/validator/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133431, "scanner": "repobility-docker", "fingerprint": "295719e81170008214e2b6f3c1d8178e32462851b26f8986dd6f1b864a840a95", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|295719e81170008214e2b6f3c1d8178e32462851b26f8986dd6f1b864a840a95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/typescript/sdk/cli/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133430, "scanner": "repobility-docker", "fingerprint": "0ef431b4aeeebef1277c770b3cbd5c7c6930538ba9caec33dd58314cce5d8a3b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0ef431b4aeeebef1277c770b3cbd5c7c6930538ba9caec33dd58314cce5d8a3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/swift/sdk/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133429, "scanner": "repobility-docker", "fingerprint": "dfc2e60f027fb921481aa860a42c637e11cb08e6b00f56b0723a42048ee59299", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dfc2e60f027fb921481aa860a42c637e11cb08e6b00f56b0723a42048ee59299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/swift/model/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133428, "scanner": "repobility-docker", "fingerprint": "83cdcaa696fb8181dedec31afd8503175828bec002466afde8c2964ee81c107b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|83cdcaa696fb8181dedec31afd8503175828bec002466afde8c2964ee81c107b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/rust/sdk/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133427, "scanner": "repobility-docker", "fingerprint": "8e823e8b39c36b21c6c907467611ab3ef08fec977636c279ef393b6631aa7159", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8e823e8b39c36b21c6c907467611ab3ef08fec977636c279ef393b6631aa7159"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/rust/model/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133426, "scanner": "repobility-docker", "fingerprint": "cdf765ffb9c022e4493338fbb123e700f1348003be49fa4032b7a87b9cd0fd81", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ruby:3.3-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cdf765ffb9c022e4493338fbb123e700f1348003be49fa4032b7a87b9cd0fd81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/ruby-v2/sdk/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133425, "scanner": "repobility-docker", "fingerprint": "9b9bf585d7479af6bd2be072030eb88c37e1cad52e706f54c6e74607ded39eaf", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ruby:3.3-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9b9bf585d7479af6bd2be072030eb88c37e1cad52e706f54c6e74607ded39eaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/ruby-v2/model/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133424, "scanner": "repobility-docker", "fingerprint": "d1b7ed9999aad4e35e65efe1459c9333ab2a94c2e99ea9d5e058bbf7959ed857", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d1b7ed9999aad4e35e65efe1459c9333ab2a94c2e99ea9d5e058bbf7959ed857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python-v2/sdk/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133422, "scanner": "repobility-docker", "fingerprint": "d83da296c37932c2c49bbc9b8fe80cd17ab801e4f65480886e3be93bec495567", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d83da296c37932c2c49bbc9b8fe80cd17ab801e4f65480886e3be93bec495567"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python-v2/pydantic-model/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133420, "scanner": "repobility-docker", "fingerprint": "6836559a39b05f4d18c5b762d8c309d0e41107d32c71cbd4c52023055cfa2c2e", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.13.7-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6836559a39b05f4d18c5b762d8c309d0e41107d32c71cbd4c52023055cfa2c2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/sdk/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133418, "scanner": "repobility-docker", "fingerprint": "c627ef6dcafe4c1024849810615e9454a34ecdbc3c4fdac6cafc63863e57e042", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c627ef6dcafe4c1024849810615e9454a34ecdbc3c4fdac6cafc63863e57e042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/pydantic/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 133417, "scanner": "repobility-docker", "fingerprint": "6a640b2deab9fb65b2ab731989048cc2f7c52965460cd4f7e6c12b3929f0a7c9", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6a640b2deab9fb65b2ab731989048cc2f7c52965460cd4f7e6c12b3929f0a7c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/pydantic/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133416, "scanner": "repobility-docker", "fingerprint": "d8e8c70919d9e8d0364d3b7ffc3cbc350288a10ba90f0179d16761d81225e9f0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "composer:2.9.7", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d8e8c70919d9e8d0364d3b7ffc3cbc350288a10ba90f0179d16761d81225e9f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/sdk/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133415, "scanner": "repobility-docker", "fingerprint": "00c2d1596dd7e590d4d47155cfa54ab86e5a4472e5c0bae15e3b594bd49f5853", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "composer:2.9.7", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|00c2d1596dd7e590d4d47155cfa54ab86e5a4472e5c0bae15e3b594bd49f5853"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/model/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133414, "scanner": "repobility-docker", "fingerprint": "3613924a4e274d0b4f5df8c76409380f021d51838b9e12750be37dd61daf2867", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3613924a4e274d0b4f5df8c76409380f021d51838b9e12750be37dd61daf2867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/openapi/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133413, "scanner": "repobility-docker", "fingerprint": "45eb5249254021f89d97fef678084cf6ce73c254be3003bccedd77c17ce7214b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "gradle:jdk11-corretto", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|45eb5249254021f89d97fef678084cf6ce73c254be3003bccedd77c17ce7214b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/sdk/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133412, "scanner": "repobility-docker", "fingerprint": "9c381413b025ee40c2433f30b7b99cdcf10d7f5259cf5747f4b9e5bfa86c8dcc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "gradle:8.5.0-jdk17-jammy", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9c381413b025ee40c2433f30b7b99cdcf10d7f5259cf5747f4b9e5bfa86c8dcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/model/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 133411, "scanner": "repobility-docker", "fingerprint": "04b73b82881386dc0d3e11b839881a623f6fc25cf4ca7ae3b4c6149071762a53", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|04b73b82881386dc0d3e11b839881a623f6fc25cf4ca7ae3b4c6149071762a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/model/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133410, "scanner": "repobility-docker", "fingerprint": "0943bb0e7b9900e0a9019adc25b1412eeadbba1d93ade46ee0d3d98553b8b2c5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "golang:1.26.4-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0943bb0e7b9900e0a9019adc25b1412eeadbba1d93ade46ee0d3d98553b8b2c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/sdk/Dockerfile"}, "region": {"startLine": 36}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133409, "scanner": "repobility-docker", "fingerprint": "6f6ae22bddf4a2641a8357f2782ab30574b165e663a6958b647e86dcea74b04d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "golang:1.26.4-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6f6ae22bddf4a2641a8357f2782ab30574b165e663a6958b647e86dcea74b04d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/model/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133408, "scanner": "repobility-docker", "fingerprint": "156ed509486f6a42a3e38a5b011a2abba9e3134e4c396cd00068a3127fca6761", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet/sdk:10.0-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|156ed509486f6a42a3e38a5b011a2abba9e3134e4c396cd00068a3127fca6761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133407, "scanner": "repobility-docker", "fingerprint": "0f1afe027e25f5c47b423806b3a860d5ad1091b4156c2308da1629aaa2ef4484", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet/sdk:10.0-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0f1afe027e25f5c47b423806b3a860d5ad1091b4156c2308da1629aaa2ef4484"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/model/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133406, "scanner": "repobility-docker", "fingerprint": "715752d41f4691fd6cf702c6f11d8600f6f3a4f211d4019133ec497b6ef94cf0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|715752d41f4691fd6cf702c6f11d8600f6f3a4f211d4019133ec497b6ef94cf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 133405, "scanner": "repobility-docker", "fingerprint": "2062722b7257e4a3d933ae75618e5e533216eb85701d3cd43f7b81f30f6fb141", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2062722b7257e4a3d933ae75618e5e533216eb85701d3cd43f7b81f30f6fb141"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133404, "scanner": "repobility-docker", "fingerprint": "7bda4b4aec90ecca9f0e6be3bac7333fb36b0731be951770e9a5861778c1cc25", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24.16.0-trixie-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7bda4b4aec90ecca9f0e6be3bac7333fb36b0731be951770e9a5861778c1cc25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 133403, "scanner": "repobility-docker", "fingerprint": "9cb73941a3b2d52909588dacd62be56f1887264f71e741f5a6799367134eda41", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9cb73941a3b2d52909588dacd62be56f1887264f71e741f5a6799367134eda41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133402, "scanner": "repobility-docker", "fingerprint": "338e64e0a883305fd521631a42354e3b146dfdd900dfa0cdef7ebf3c93965fcd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker:29.5.2-dind-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|338e64e0a883305fd521631a42354e3b146dfdd900dfa0cdef7ebf3c93965fcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.python"}, "region": {"startLine": 109}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133401, "scanner": "repobility-docker", "fingerprint": "5052055df02832c74b128b854f12916b572ac6c159750fed66b097637869ef37", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker:29.5.2-dind-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5052055df02832c74b128b854f12916b572ac6c159750fed66b097637869ef37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.php"}, "region": {"startLine": 109}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133400, "scanner": "repobility-docker", "fingerprint": "6d2adb0515962e21c3fe3f0066aa45ed640194e66442712af4d8649d3e6d031f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "redhat/ubi9:9.7", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6d2adb0515962e21c3fe3f0066aa45ed640194e66442712af4d8649d3e6d031f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133399, "scanner": "repobility-docker", "fingerprint": "3edf77c1c34c807c801f7f0de4189596b745a401372d30ad636f9960866b7fe6", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker:29.5.2-dind-alpine3.23", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3edf77c1c34c807c801f7f0de4189596b745a401372d30ad636f9960866b7fe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.go"}, "region": {"startLine": 87}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133398, "scanner": "repobility-docker", "fingerprint": "d3284be2f34ae8a875dec14360e1011fcebdddd118528e5f7aba026a1d30a062", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet/sdk:10.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d3284be2f34ae8a875dec14360e1011fcebdddd118528e5f7aba026a1d30a062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.csharp"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 133397, "scanner": "repobility-docker", "fingerprint": "dc3d065a96ab8ec1abe323409889dba3c62cd70472dff625d005097557a35115", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dc3d065a96ab8ec1abe323409889dba3c62cd70472dff625d005097557a35115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.csharp"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 133396, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 133395, "scanner": "repobility-docker", "fingerprint": "1e75c628a5b8dbc339fcbacb6f41fe1c998a36761675c80ba054235384be7d9c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "rust:1.95.0-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1e75c628a5b8dbc339fcbacb6f41fe1c998a36761675c80ba054235384be7d9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.cli"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 133394, "scanner": "repobility-docker", "fingerprint": "0dc9b37e3469dad1c6f7798c9d86e124af0f8269fc3d332d8919d86c08ec8140", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0dc9b37e3469dad1c6f7798c9d86e124af0f8269fc3d332d8919d86c08ec8140"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.cli"}, "region": {"startLine": 22}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 133392, "scanner": "repobility-agent-runtime", "fingerprint": "6021b29e5df64c7981bd450522eb8c539cc72718458c34f8dc5e8cedd445fffd", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|6021b29e5df64c7981bd450522eb8c539cc72718458c34f8dc5e8cedd445fffd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/src/emitReadme.ts"}, "region": {"startLine": 173}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 133391, "scanner": "repobility-agent-runtime", "fingerprint": "db0e4438f4d41776ade821db75fb6b6bef266208e6e4c23ece33445bc96762e4", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|db0e4438f4d41776ade821db75fb6b6bef266208e6e4c23ece33445bc96762e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-scanning-and-remediation.yml"}, "region": {"startLine": 518}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 133355, "scanner": "repobility-ai-code-hygiene", "fingerprint": "19c171b7ca459d86853e919af3d00decaa36f5dc4b2cdae523dbfbe8d1e41032", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|19c171b7ca459d86853e919af3d00decaa36f5dc4b2cdae523dbfbe8d1e41032"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/rust-sdk/trace/src/api/types/submission_workspace_submission_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 133354, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8bd1a4f14a3daa1d8b3e43aca6597beab10d92ff0f76806a12ae7b534a84c616", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|8bd1a4f14a3daa1d8b3e43aca6597beab10d92ff0f76806a12ae7b534a84c616"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/rust-sdk/trace/src/api/types/submission_test_submission_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 133353, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99cbb65834e81577bad884eaddadc002cf44fc11bb0bced04301c0815d99d484", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|99cbb65834e81577bad884eaddadc002cf44fc11bb0bced04301c0815d99d484"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/rust-sdk/trace/src/api/types/submission_code_execution_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 133343, "scanner": "repobility-threat-engine", "fingerprint": "3b845811d62d7e71f0fd628ebc371f54839e9b03b93d23a6c8e22846863f25aa", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "iveJitter(delay: number): number {\n    const jitterMultiplier = 1 + Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b845811d62d7e71f0fd628ebc371f54839e9b03b93d23a6c8e22846863f25aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/typescript/utils/core-utilities/src/core/fetcher/requestWithRetries.template.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 133336, "scanner": "repobility-threat-engine", "fingerprint": "caf9218579fa793b3e39b4f4c6189efe28751d6d4bcbf0037cb92d349f74417e", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|caf9218579fa793b3e39b4f4c6189efe28751d6d4bcbf0037cb92d349f74417e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/shared/datetime_utils.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 133317, "scanner": "repobility-threat-engine", "fingerprint": "18a93c25d0f8bb2d798815652c512c9e748bfd6138745ec9dafadad6b89bd5e8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|269|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/sdk/src/wire-tests/WireTestSetupGenerator.ts"}, "region": {"startLine": 269}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 133316, "scanner": "repobility-threat-engine", "fingerprint": "02d172a6ce8c29427c146308ac2f9ca6ba12055125cb4342db5ba5bde091f774", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|42|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/generator-utils/src/main/java/com/fern/java/JavaV2Adapter.java"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 133299, "scanner": "repobility-threat-engine", "fingerprint": "6335b8814a3274f2866ee56a5f693a689d08b725ea066c7d915680752953f254", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n            return null;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6335b8814a3274f2866ee56a5f693a689d08b725ea066c7d915680752953f254"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/sdk/src/reference/EndpointSnippetsGenerator.ts"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 133298, "scanner": "repobility-threat-engine", "fingerprint": "1667579625cbc06adf7e5c596da3d9b76d51adca16fafa27cc455545f2bac81a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n            return null;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1667579625cbc06adf7e5c596da3d9b76d51adca16fafa27cc455545f2bac81a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java-v2/sdk/src/reference/EndpointSnippetsGenerator.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 133297, "scanner": "repobility-threat-engine", "fingerprint": "12a607de5ba0ad6330ae63fc9e670da26e3e2562511930e39eeace500a6f164b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n            return null;\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12a607de5ba0ad6330ae63fc9e670da26e3e2562511930e39eeace500a6f164b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/sdk/src/reference/EndpointSnippetsGenerator.ts"}, "region": {"startLine": 185}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 133419, "scanner": "repobility-docker", "fingerprint": "971c785f351b45dc9549359000c240ebf27fc52141935f3b0e3a38cd04313c21", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|971c785f351b45dc9549359000c240ebf27fc52141935f3b0e3a38cd04313c21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/sdk/Dockerfile"}, "region": {"startLine": 82}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 133390, "scanner": "repobility-ai-code-hygiene", "fingerprint": "741a90694f9bd4b581711ba7eede2af7ae6fb9026205e8573962202dcfb8b0b8", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "WorkspaceTracedUpdate", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "seed/java-sdk/trace/src/main/java/com/seed/trace/resources/submission/types/WorkspaceTracedUpdate.java", "correlation_key": "fp|741a90694f9bd4b581711ba7eede2af7ae6fb9026205e8573962202dcfb8b0b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/submission/types/workspace_traced_update.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 133389, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1bd4bfdb296c7f2d4edc73a0bf2538b76fc6489416c04c37237678acb73c77ee", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "WorkspaceSubmissionUpdate", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "seed/java-sdk/trace/src/main/java/com/seed/trace/resources/submission/types/WorkspaceSubmissionUpdate.java", "correlation_key": "fp|1bd4bfdb296c7f2d4edc73a0bf2538b76fc6489416c04c37237678acb73c77ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/submission/types/workspace_submission_update.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 133388, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff1c246584bbee13433a6436fdb091f2f8609653cc9eaa02b38d8bf493256b1b", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "RecordedTestCaseUpdate", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "seed/java-sdk/trace/src/main/java/com/seed/trace/resources/submission/types/RecordedTestCaseUpdate.java", "correlation_key": "fp|ff1c246584bbee13433a6436fdb091f2f8609653cc9eaa02b38d8bf493256b1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/submission/types/recorded_test_case_update.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 133387, "scanner": "repobility-ai-code-hygiene", "fingerprint": "70d7dfd0464afe90fd231c21aa70db0b7ad1e26de3de6aa145696e3f7d8f4fb8", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "GradedTestCaseUpdate", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "seed/java-sdk/trace/src/main/java/com/seed/trace/resources/submission/types/GradedTestCaseUpdate.java", "correlation_key": "fp|70d7dfd0464afe90fd231c21aa70db0b7ad1e26de3de6aa145696e3f7d8f4fb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/submission/types/graded_test_case_update.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 133386, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e2087fc8dc005ed435debf77c3df1a05327022d27f5450970566e26100e78052", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "CodeExecutionUpdate", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "seed/java-sdk/trace/src/main/java/com/seed/trace/resources/submission/types/CodeExecutionUpdate.java", "correlation_key": "fp|e2087fc8dc005ed435debf77c3df1a05327022d27f5450970566e26100e78052"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/ruby-sdk-v2/trace/lib/seed/submission/types/code_execution_update.rb"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133385, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c20ef9afd36a4aa8bfab97e1614dca45c93475832aae737ab62cddfd6aad343", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/go/internal/fern/ir/internal/time.go", "duplicate_line": 1, "correlation_key": "fp|1c20ef9afd36a4aa8bfab97e1614dca45c93475832aae737ab62cddfd6aad343"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/internal/generator/model/internal/time.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133384, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25e7d5b14401d153175e6be939cbda45f6d7fff0adc69e6f49e2c97f72f71698", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/go/cmd/fern-go-model/main.go", "duplicate_line": 11, "correlation_key": "fp|25e7d5b14401d153175e6be939cbda45f6d7fff0adc69e6f49e2c97f72f71698"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/cmd/fern-go-sdk/main.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133383, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c2226a314465fd31c0a3af9cf36b63b04dfa17365c85be448ad758e047d7dac3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/sdk/src/readme/ReadmeConfigBuilder.ts", "duplicate_line": 5, "correlation_key": "fp|c2226a314465fd31c0a3af9cf36b63b04dfa17365c85be448ad758e047d7dac3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/sdk/src/readme/ReadmeConfigBuilder.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133382, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e9a420216ead891c75b90aeda6b7bb102693b850dbf8760096f538f415b23e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/go-v2/sdk/src/client/ClientGenerator.ts", "duplicate_line": 150, "correlation_key": "fp|6e9a420216ead891c75b90aeda6b7bb102693b850dbf8760096f538f415b23e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/sdk/src/raw-client/RawClientGenerator.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133381, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b10768266339b1bf62c56e4309492899f69787dbfa92229c289bf60f956b5562", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/go-v2/sdk/src/internal/Caller.ts", "duplicate_line": 104, "correlation_key": "fp|b10768266339b1bf62c56e4309492899f69787dbfa92229c289bf60f956b5562"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/sdk/src/internal/Streamer.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133380, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b38b6a5f25267dee41ad0ee7e3dc507b7c579f403ca4598de613236b726febec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/go-v2/dynamic-snippets/src/context/DynamicSnippetsGeneratorContext.ts", "duplicate_line": 205, "correlation_key": "fp|b38b6a5f25267dee41ad0ee7e3dc507b7c579f403ca4598de613236b726febec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/sdk/src/SdkGeneratorContext.ts"}, "region": {"startLine": 770}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133379, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5355621b902649b02247d36b0ceeed3e5e62686b648857d338bd3ee2a590a713", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/sdk/src/CsharpGeneratorAgent.ts", "duplicate_line": 25, "correlation_key": "fp|5355621b902649b02247d36b0ceeed3e5e62686b648857d338bd3ee2a590a713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/sdk/src/GoGeneratorAgent.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133378, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f8581028043298ebbec39ccdf3e82890a8e10250d6f30f060d1a7c41b445128", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/go-v2/dynamic-snippets/src/context/DynamicTypeInstantiationMapper.ts", "duplicate_line": 636, "correlation_key": "fp|7f8581028043298ebbec39ccdf3e82890a8e10250d6f30f060d1a7c41b445128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/model/src/union/UndiscriminatedUnionGenerator.ts"}, "region": {"startLine": 104}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133377, "scanner": "repobility-ai-code-hygiene", "fingerprint": "77d07c91f4919318b05be33ba4f977828fc216c97c986f9c61ab40f9d5e69a1a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/go-v2/model/src/union/DiscriminatedUnionGenerator.ts", "duplicate_line": 13, "correlation_key": "fp|77d07c91f4919318b05be33ba4f977828fc216c97c986f9c61ab40f9d5e69a1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/model/src/union/UndiscriminatedUnionGenerator.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133376, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ce4367fdfb4d0a893957af0beb94b13d0f9fb03afd10dbb5f6a1a322ad9ea52", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/dynamic-snippets/src/context/FilePropertyMapper.ts", "duplicate_line": 13, "correlation_key": "fp|0ce4367fdfb4d0a893957af0beb94b13d0f9fb03afd10dbb5f6a1a322ad9ea52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/dynamic-snippets/src/context/FilePropertyMapper.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133375, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12f2b34f900f4d0adae3ec1c090b1d8ae07ff04bb314052eb7e91169cf657711", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/dynamic-snippets/src/context/DynamicLiteralMapper.ts", "duplicate_line": 208, "correlation_key": "fp|12f2b34f900f4d0adae3ec1c090b1d8ae07ff04bb314052eb7e91169cf657711"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/dynamic-snippets/src/context/DynamicTypeInstantiationMapper.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133374, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1fbf8ab6119af559aa180eda3a57a449baba03dc08ff2f7975a5f34743f063da", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/dynamic-snippets/src/__test__/utils/buildDynamicSnippetsGenerator.ts", "duplicate_line": 2, "correlation_key": "fp|1fbf8ab6119af559aa180eda3a57a449baba03dc08ff2f7975a5f34743f063da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go-v2/dynamic-snippets/src/__test__/utils/buildDynamicSnippetsGenerator.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133373, "scanner": "repobility-ai-code-hygiene", "fingerprint": "334731138994d6afe98c3f66bcfaae0b1432086ce185cfe065ccfd578b98ccbc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/model/src/object/ObjectGenerator.ts", "duplicate_line": 239, "correlation_key": "fp|334731138994d6afe98c3f66bcfaae0b1432086ce185cfe065ccfd578b98ccbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/wrapped-request/WrappedRequestGenerator.ts"}, "region": {"startLine": 490}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133372, "scanner": "repobility-ai-code-hygiene", "fingerprint": "49fc9901a6e0f061a495d355767aa25c473c9a788299324f1e5dfb5df784e63b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/sdk/src/test-generation/mock-server/MockEndpointGenerator.ts", "duplicate_line": 150, "correlation_key": "fp|49fc9901a6e0f061a495d355767aa25c473c9a788299324f1e5dfb5df784e63b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/test-generation/mock-server/MockServerTestGenerator.ts"}, "region": {"startLine": 197}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133371, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a278594465e78c02f6d2787d99f2e430e9fe6e65a30be1b2a497fe4e5732c39d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/model/src/object/ObjectGenerator.ts", "duplicate_line": 276, "correlation_key": "fp|a278594465e78c02f6d2787d99f2e430e9fe6e65a30be1b2a497fe4e5732c39d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/test-generation/mock-server/MockEndpointGenerator.ts"}, "region": {"startLine": 474}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133370, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e730ce57d956ca790f8b45901f2c66723d8b87734263d01d9a048f0e1d89e77f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/base/src/FileGenerator.ts", "duplicate_line": 7, "correlation_key": "fp|e730ce57d956ca790f8b45901f2c66723d8b87734263d01d9a048f0e1d89e77f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/readme/ReadmeSnippetBuilder.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133369, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e2871cc46e48b7adf9d9b97a6bebc3da9d69c9baeb02c30049df838422b8a4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/sdk/src/options/IdempotentRequestOptionsGenerator.ts", "duplicate_line": 52, "correlation_key": "fp|1e2871cc46e48b7adf9d9b97a6bebc3da9d69c9baeb02c30049df838422b8a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/options/RequestOptionsGenerator.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133368, "scanner": "repobility-ai-code-hygiene", "fingerprint": "077e1adba06d2441e633a67fc93931aa9225d216592fd1cfe96f9fa92aba3585", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/sdk/src/inferred-auth/InferredAuthTokenProviderGenerator.ts", "duplicate_line": 102, "correlation_key": "fp|077e1adba06d2441e633a67fc93931aa9225d216592fd1cfe96f9fa92aba3585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/oauth/OauthTokenProviderGenerator.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133367, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a292ea50b3ddb5f29ccfd11106dc553f5fd9ea056550fe3642cb0c1e0966ae6a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/sdk/src/endpoint/request/BytesOnlyEndpointRequest.ts", "duplicate_line": 33, "correlation_key": "fp|a292ea50b3ddb5f29ccfd11106dc553f5fd9ea056550fe3642cb0c1e0966ae6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/endpoint/request/WrappedEndpointRequest.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133366, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30d77e2efde304632ce4ae5c070d2f0eecf33e7535e0b1f0373b47816c56aec0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/sdk/src/endpoint/request/BytesOnlyEndpointRequest.ts", "duplicate_line": 19, "correlation_key": "fp|30d77e2efde304632ce4ae5c070d2f0eecf33e7535e0b1f0373b47816c56aec0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/endpoint/request/ReferencedEndpointRequest.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133365, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ebb19a851ca35cc30b4dd084ddfa461b5eb89f8583c3708bd3db4dfb242a9c4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/model/src/ModelGeneratorContext.ts", "duplicate_line": 26, "correlation_key": "fp|4ebb19a851ca35cc30b4dd084ddfa461b5eb89f8583c3708bd3db4dfb242a9c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/SdkGeneratorContext.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133364, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8263167e6cb628479f12a3d45fae435e09cd7903e3041c82ffd1265f23851758", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/model/src/object/ObjectSerializationTestGenerator.ts", "duplicate_line": 2, "correlation_key": "fp|8263167e6cb628479f12a3d45fae435e09cd7903e3041c82ffd1265f23851758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/model/src/union/UnionSerializationTestGenerator.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133363, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7a327b8590234e1c8d9871dd1f33e7f3c18bed5a2ae7744de76613f416f8c55", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/model/src/proto/WellKnownProtoStructGenerator.ts", "duplicate_line": 45, "correlation_key": "fp|b7a327b8590234e1c8d9871dd1f33e7f3c18bed5a2ae7744de76613f416f8c55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/model/src/proto/WellKnownProtoValueGenerator.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133362, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae95700206722babd3c4d5ee079dfc3bd7711596d1fe5e06eb51a9f2c21f5a92", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/csharp/base/src/asIs/BaseRequest.Template.cs", "duplicate_line": 20, "correlation_key": "fp|ae95700206722babd3c4d5ee079dfc3bd7711596d1fe5e06eb51a9f2c21f5a92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/base/src/asIs/RawClient.Template.cs"}, "region": {"startLine": 246}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133361, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b05e0da5880091053e5691de4b789d7193a86c3a56bc07248786e2ffb857039f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/cli/sdk/src/websocket/client.rs", "duplicate_line": 431, "correlation_key": "fp|b05e0da5880091053e5691de4b789d7193a86c3a56bc07248786e2ffb857039f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/websocket/error.rs"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133360, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64b5bc31c4e311d90fd32b1bd850dabc6ce6d94463a7f11e00f57588c539cf6b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/cli/sdk/src/graphql/commands.rs", "duplicate_line": 240, "correlation_key": "fp|64b5bc31c4e311d90fd32b1bd850dabc6ce6d94463a7f11e00f57588c539cf6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/openapi/help.rs"}, "region": {"startLine": 228}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133359, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aa8b548655e86e6d912d8f4cbf31d507262e6dea2b30cb48412bf457758a7ef0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/cli/sdk/src/graphql/help.rs", "duplicate_line": 9, "correlation_key": "fp|aa8b548655e86e6d912d8f4cbf31d507262e6dea2b30cb48412bf457758a7ef0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/openapi/help.rs"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133358, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46743d4e09ae6580c68ca572180af1c73b8d184f52eba4934312da4e9d50eb77", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/cli/sdk/src/graphql/binding.rs", "duplicate_line": 87, "correlation_key": "fp|46743d4e09ae6580c68ca572180af1c73b8d184f52eba4934312da4e9d50eb77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/openapi/binding.rs"}, "region": {"startLine": 141}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133357, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec57d91b1d786ea29713627deaa6802c65de9e7ff9cda747cd63915642d4b1f5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "generators/cli/sdk/src/app.rs", "duplicate_line": 241, "correlation_key": "fp|ec57d91b1d786ea29713627deaa6802c65de9e7ff9cda747cd63915642d4b1f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/graphql/commands.rs"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 133356, "scanner": "repobility-ai-code-hygiene", "fingerprint": "406bdd70a1db11bb1978af2fca575c4efb9904d62664f62ad604bbbe7f9ebf7a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "docker/seed/Dockerfile.go", "duplicate_line": 18, "correlation_key": "fp|406bdd70a1db11bb1978af2fca575c4efb9904d62664f62ad604bbbe7f9ebf7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.php"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 133352, "scanner": "repobility-ai-code-hygiene", "fingerprint": "02948b73b8f0678004c5b105db864334c14cf19a3c5bd2cbc504222e6292fd65", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|02948b73b8f0678004c5b105db864334c14cf19a3c5bd2cbc504222e6292fd65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/rust-sdk/trace/src/api/types/submission_workspace_submission_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 133351, "scanner": "repobility-ai-code-hygiene", "fingerprint": "baea06f920704c6bbff71aa365eb3e5da14bfded2229bd9d48709960de098cbd", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|baea06f920704c6bbff71aa365eb3e5da14bfded2229bd9d48709960de098cbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/rust-sdk/trace/src/api/types/submission_test_submission_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 133350, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bbebafce4e553f5923bff5abcabd4ae400ab06f513ad00702df323aadbb8dad0", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|bbebafce4e553f5923bff5abcabd4ae400ab06f513ad00702df323aadbb8dad0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/rust-sdk/trace/src/api/types/submission_code_execution_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 133349, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00cbd093fc665827cf00f2a353bccb8fcdd434a5cce22036ba854ebf61bd3994", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|00cbd093fc665827cf00f2a353bccb8fcdd434a5cce22036ba854ebf61bd3994"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/ruby-sdk-v2/trace/lib/seed/submission/types/code_execution_update.rb"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 133348, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cc5896e0e680c1f7d426aa0f7b75445456231cb195770693f1c326ccbb12b093", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|cc5896e0e680c1f7d426aa0f7b75445456231cb195770693f1c326ccbb12b093"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/submission/types/workspace_traced_update.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 133347, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b5127d6340fd618b6b21ccccba663205587f82628fdf693b060b144559863842", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|b5127d6340fd618b6b21ccccba663205587f82628fdf693b060b144559863842"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/submission/types/workspace_submission_update.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 133346, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e099330476045d9aee9a5d17eb48df871bc04af728d5adc61c58cba6eb27ed96", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e099330476045d9aee9a5d17eb48df871bc04af728d5adc61c58cba6eb27ed96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/submission/types/recorded_test_case_update.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 133345, "scanner": "repobility-ai-code-hygiene", "fingerprint": "85a561bca35c58c3452472d0e7ee038f024f8eec945f0d78dbc704ae6049eaf0", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|85a561bca35c58c3452472d0e7ee038f024f8eec945f0d78dbc704ae6049eaf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/submission/types/graded_test_case_update.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 133344, "scanner": "repobility-ai-code-hygiene", "fingerprint": "260f266b555bfc045c0e4e1e51394215b9dc3cf270334b97c195970edfc556b7", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|260f266b555bfc045c0e4e1e51394215b9dc3cf270334b97c195970edfc556b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/trace/src/seed/submission/types/code_execution_update.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 133322, "scanner": "repobility-threat-engine", "fingerprint": "2ce39432553cdc54062e72352e7d63ac918b9793ed54663fba7c89aafceb329f", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Please provide the required credentials for \" + schemeName + \" when initializing the client\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2ce39432553cdc54062e72352e7d63ac918b9793ed54663fba7c89aafceb329f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/sdk/src/main/java/com/fern/java/client/generators/auth/InferredAuthProviderGenerator.java"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 133321, "scanner": "repobility-threat-engine", "fingerprint": "928eadcc2401e9185f13a6465343a76a8141d2ff134cdfa1fac9bd8ecf9ca48e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Cannot get value from \" + state + \" OptionalNullable\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|928eadcc2401e9185f13a6465343a76a8141d2ff134cdfa1fac9bd8ecf9ca48e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/generator-utils/src/main/resources/OptionalNullable.java"}, "region": {"startLine": 98}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=2, if=5, nested_bonus=1."}, "properties": {"repobilityId": 133258, "scanner": "repobility-threat-engine", "fingerprint": "01bbfc92faea06a239888cdbfc79ba62eab14b76e548a472764b59bf33a8a938", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 5, "else": 2, "nested_bonus": 1}, "complexity": 8, "correlation_key": "fp|01bbfc92faea06a239888cdbfc79ba62eab14b76e548a472764b59bf33a8a938"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/fern/fix-spec-refs.py"}, "region": {"startLine": 51}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `strip_dangling_refs` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, if=4, nested_bonus=6, recursion=2."}, "properties": {"repobilityId": 133257, "scanner": "repobility-threat-engine", "fingerprint": "861e8916de921286c2a305c5ccc9ada8a914a80a3985fa8b328c48c37f040b8d", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "strip_dangling_refs", "breakdown": {"if": 4, "elif": 1, "recursion": 2, "nested_bonus": 6}, "complexity": 13, "correlation_key": "fp|861e8916de921286c2a305c5ccc9ada8a914a80a3985fa8b328c48c37f040b8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/fern/fix-spec-refs.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 133342, "scanner": "repobility-threat-engine", "fingerprint": "9cf835bca224eacb68b17514e9edc98b764ea70275e2e1859078bb7c4709c37b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9cf835bca224eacb68b17514e9edc98b764ea70275e2e1859078bb7c4709c37b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/rust/sdk/src/generators/ApiClientBuilderGenerator.ts"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 133339, "scanner": "repobility-threat-engine", "fingerprint": "6d96ba21c53d05f36dd8deb88091a31eb7cf9927dfaf284e54f26bf853005692", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d96ba21c53d05f36dd8deb88091a31eb7cf9927dfaf284e54f26bf853005692"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/src/fern_python/version/python_version.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 133338, "scanner": "repobility-threat-engine", "fingerprint": "abcd73d8545e5e21eedf3f833ee4c3a0cc3a3148aadc37d31f4085bcc93a1d87", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|abcd73d8545e5e21eedf3f833ee4c3a0cc3a3148aadc37d31f4085bcc93a1d87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/src/fern_python/generators/sdk/client_generator/request_body_parameters/union_flattening_utils.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 133333, "scanner": "repobility-threat-engine", "fingerprint": "9a741262746004228ab9c7ff44fa1d341f17017b2301e7cfd50327fb6a479037", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a741262746004228ab9c7ff44fa1d341f17017b2301e7cfd50327fb6a479037"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/shared/http_sse/_exceptions.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 133332, "scanner": "repobility-threat-engine", "fingerprint": "473d4b79f8c6ede641b5152b32fbef422cb7cccf614ea0f066325f4d815affb2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|473d4b79f8c6ede641b5152b32fbef422cb7cccf614ea0f066325f4d815affb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/sdk/enum.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 133331, "scanner": "repobility-threat-engine", "fingerprint": "c58c56dbc1e75dfc8ca27af233b5228b27ed27794eaca3e636bfb96db23b1092", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c58c56dbc1e75dfc8ca27af233b5228b27ed27794eaca3e636bfb96db23b1092"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/pydantic/enum.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 133330, "scanner": "repobility-threat-engine", "fingerprint": "50406309e3101c911d59a3045c7bd41e083f0c20641ab6d2cbf99c80311d7d9e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|50406309e3101c911d59a3045c7bd41e083f0c20641ab6d2cbf99c80311d7d9e", "aggregated_count": 7}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 133329, "scanner": "repobility-threat-engine", "fingerprint": "e3a71c3f51c325806e2e890afaeaba1f8a314e582b1aea88b1241ade39f06938", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e3a71c3f51c325806e2e890afaeaba1f8a314e582b1aea88b1241ade39f06938"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/sdk/enum.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 133328, "scanner": "repobility-threat-engine", "fingerprint": "bb988c17c9f87a8d615b0aca089fe1e60847a5a14cd63b26403f66888f56c7de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bb988c17c9f87a8d615b0aca089fe1e60847a5a14cd63b26403f66888f56c7de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/sdk/custom_pagination.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 133327, "scanner": "repobility-threat-engine", "fingerprint": "de6ef7a4fbfe9ac3a27594823514d3bf304753579daf71c3d8e46556fdeda489", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de6ef7a4fbfe9ac3a27594823514d3bf304753579daf71c3d8e46556fdeda489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/pydantic/enum.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 133326, "scanner": "repobility-threat-engine", "fingerprint": "1dd10c8caf2ed5e764a84542a23fd9dd01afa18531b82b259f83a19b111f9b13", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1dd10c8caf2ed5e764a84542a23fd9dd01afa18531b82b259f83a19b111f9b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/base/src/asIs/Json/AdditionalPropertiesTest.Template.php"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 133325, "scanner": "repobility-threat-engine", "fingerprint": "57f313aa5524612b77c602f96f6cafc3e80eea5369077abbb2a046414dd06816", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|57f313aa5524612b77c602f96f6cafc3e80eea5369077abbb2a046414dd06816"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/base/src/asIs/File.Template.php"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED092", "level": "none", "message": {"text": "[MINED092] Java Runtime Exec: Runtime.getRuntime().exec(cmd) with concat string args = command injection."}, "properties": {"repobilityId": 133320, "scanner": "repobility-threat-engine", "fingerprint": "18a23601c070504c3eb3756361cf581f89cf9ff52d2d1196610ac885d43013ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "java-runtime-exec", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["java"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348152+00:00", "triaged_in_corpus": 15, "observations_count": 250, "ai_coder_pattern_id": 125}, "scanner": "repobility-threat-engine", "correlation_key": "fp|18a23601c070504c3eb3756361cf581f89cf9ff52d2d1196610ac885d43013ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/generator-utils/src/main/java/com/fern/java/JavaV2Adapter.java"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 133315, "scanner": "repobility-threat-engine", "fingerprint": "b58df9499acfd10b1e20b964429ac887f20e8cc016c1011756c8f46ae09a5873", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b58df9499acfd10b1e20b964429ac887f20e8cc016c1011756c8f46ae09a5873", "aggregated_count": 3}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 133314, "scanner": "repobility-threat-engine", "fingerprint": "10045dea06db80cbb9e4ca0f77be06e33d7e0d4093bbac1cf0490ea05c8f563e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10045dea06db80cbb9e4ca0f77be06e33d7e0d4093bbac1cf0490ea05c8f563e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/typescript/utils/core-utilities/src/core/fetcher/stream-wrappers/Node18UniversalStreamWrapper.ts"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 133313, "scanner": "repobility-threat-engine", "fingerprint": "e591ba86a970b48e487d47fcb99b516b89b5d5b66a361abddae0067a9a8eaf6f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e591ba86a970b48e487d47fcb99b516b89b5d5b66a361abddae0067a9a8eaf6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/typescript/sdk/test-utils/src/mock-context.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 133312, "scanner": "repobility-threat-engine", "fingerprint": "5b44730a56c1b5c6cd19d1ec4a878cf03403a9f5ab82ddbd4f7a81628c6407b0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b44730a56c1b5c6cd19d1ec4a878cf03403a9f5ab82ddbd4f7a81628c6407b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java-v2/sdk/src/SdkGeneratorCli.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 133311, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 133307, "scanner": "repobility-threat-engine", "fingerprint": "c9975289ec528dc819b612002c4848d440a5ffdf5a3c62ff36cdbf96d45390df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c9975289ec528dc819b612002c4848d440a5ffdf5a3c62ff36cdbf96d45390df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/internal/generator/sdk/utils/pointer.go"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 133306, "scanner": "repobility-threat-engine", "fingerprint": "7d43813dea34000074f89ea000dc909614abdee6b058775228cf8614cb5022c8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7d43813dea34000074f89ea000dc909614abdee6b058775228cf8614cb5022c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/internal/generator/sdk/internal/pointer.go"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 133301, "scanner": "repobility-threat-engine", "fingerprint": "e182e4563df0116636cc808ca68249a8cae77fd27aa5dca9095a3f9fbddff269", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e182e4563df0116636cc808ca68249a8cae77fd27aa5dca9095a3f9fbddff269"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/internal/coordinator/coordinator.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 133300, "scanner": "repobility-threat-engine", "fingerprint": "177c770515f587906108b42e96cd3338ec47ddf67f686d5997cc1b924f1a1bdf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|177c770515f587906108b42e96cd3338ec47ddf67f686d5997cc1b924f1a1bdf"}}}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 133296, "scanner": "repobility-threat-engine", "fingerprint": "224ae9ece76074bd1f3c2735881c62769c52b54ee744928035ab8f111329bc17", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|224ae9ece76074bd1f3c2735881c62769c52b54ee744928035ab8f111329bc17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/sdk/src/error/CustomExceptionInterceptorGenerator.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 133295, "scanner": "repobility-threat-engine", "fingerprint": "218336f1f352814f55f0dc7c53cd78e01af89d01b0c30b8314a6a1754b85ed34", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|218336f1f352814f55f0dc7c53cd78e01af89d01b0c30b8314a6a1754b85ed34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/lib.rs"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 133294, "scanner": "repobility-threat-engine", "fingerprint": "4b27ca54561e7117ebd5c42b2ab9d4e05fcade840c6c6ed604737856ae22c345", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b27ca54561e7117ebd5c42b2ab9d4e05fcade840c6c6ed604737856ae22c345"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/man.rs"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 133293, "scanner": "repobility-threat-engine", "fingerprint": "855024d6fa7805d0008976018bb89a9592c6aad7eb03b101ba860699d2c8acf2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|855024d6fa7805d0008976018bb89a9592c6aad7eb03b101ba860699d2c8acf2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/graphql/discovery.rs"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 133292, "scanner": "repobility-threat-engine", "fingerprint": "42db078072c8f26531131a3dc752ddc2d2a8350c755dfd942c69b41719becc9a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42db078072c8f26531131a3dc752ddc2d2a8350c755dfd942c69b41719becc9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/rust/model/src/__test__/snapshots/union-types/types_vehicle.rs"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 133291, "scanner": "repobility-threat-engine", "fingerprint": "e2c6dc263657d8e4a99dad411ede8674b407aa534546e9f5695b6a82aa3c36bc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e2c6dc263657d8e4a99dad411ede8674b407aa534546e9f5695b6a82aa3c36bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/build.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 133290, "scanner": "repobility-threat-engine", "fingerprint": "330e42929a5c248fc895cf635b2a2264c388d68f96eeee14bca3aae26f23cede", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|330e42929a5c248fc895cf635b2a2264c388d68f96eeee14bca3aae26f23cede", "aggregated_count": 7}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 133286, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 133282, "scanner": "repobility-threat-engine", "fingerprint": "cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "aggregated_count": 9}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 133281, "scanner": "repobility-threat-engine", "fingerprint": "1273af7b142b7638c6573f20bee5dcb3e3f757175812dff8f84da9c7c3a071f7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1273af7b142b7638c6573f20bee5dcb3e3f757175812dff8f84da9c7c3a071f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/src/copySpecs.ts"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 133280, "scanner": "repobility-threat-engine", "fingerprint": "6a70ce4f2dbf81e35e32c7510e7f32672c74c3fe327ae91caac057f0a3e0d820", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a70ce4f2dbf81e35e32c7510e7f32672c74c3fe327ae91caac057f0a3e0d820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/browser-compatible-base/src/utils/NameHelpers.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 133279, "scanner": "repobility-threat-engine", "fingerprint": "ba469dd088e75b6fc0705f766540ca6bb79737902219c971596a6cb5f3964c53", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba469dd088e75b6fc0705f766540ca6bb79737902219c971596a6cb5f3964c53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/base/src/utils/GitHubConfig.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 133278, "scanner": "repobility-threat-engine", "fingerprint": "3099cdedf7f6f48428218161239611c91238133285157cdb835444bb04795c5c", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "logger.error(\"GitHub URI or token is missing in publishing config\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|logger.error github uri or token is missing in publishing config"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/base/src/utils/GitHubConfig.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 133277, "scanner": "repobility-threat-engine", "fingerprint": "90e362140b3866d3dde8a0b6f82265c37c04ba196167c3d2b3ae3d096ee15566", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|90e362140b3866d3dde8a0b6f82265c37c04ba196167c3d2b3ae3d096ee15566", "aggregated_count": 7}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 133276, "scanner": "repobility-threat-engine", "fingerprint": "30920ab1b80dfc87c76cd805918e337fbea35d6367b86c9795ebf03b4bb57650", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30920ab1b80dfc87c76cd805918e337fbea35d6367b86c9795ebf03b4bb57650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/typescript-v2/dynamic-snippets/src/__test__/utils/buildGeneratorConfig.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 133275, "scanner": "repobility-threat-engine", "fingerprint": "a5ef40c1b2895679e7e446a23364a3912043ff0d59f6258d75d8752357b275e2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5ef40c1b2895679e7e446a23364a3912043ff0d59f6258d75d8752357b275e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python-v2/dynamic-snippets/src/__test__/utils/buildGeneratorConfig.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 133274, "scanner": "repobility-threat-engine", "fingerprint": "94ee85335ade9a011e01fa7295f769709fece3ffc961b627e638dcdef2366c04", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94ee85335ade9a011e01fa7295f769709fece3ffc961b627e638dcdef2366c04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/base/src/SourceFetcher.ts"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 133273, "scanner": "repobility-threat-engine", "fingerprint": "87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|87a374dc589dd420ec377c72db2b292cf3fbbfe6642b8efe3d05d9fe2427b14e"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 133269, "scanner": "repobility-threat-engine", "fingerprint": "3eeb0184ea59cd4304ee823c3834023268f895a0ec0b4135af603e87001559be", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3eeb0184ea59cd4304ee823c3834023268f895a0ec0b4135af603e87001559be", "aggregated_count": 7}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 133268, "scanner": "repobility-threat-engine", "fingerprint": "a67c92fea156c948608cdacf543c34b1120013ca32cf63872f81a51389762064", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a67c92fea156c948608cdacf543c34b1120013ca32cf63872f81a51389762064"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/base/src/utils/parseIR.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 133267, "scanner": "repobility-threat-engine", "fingerprint": "3d3a79ab614f78766525e42b80de1c04c39910dbaab2b954a659dcf91fe13924", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d3a79ab614f78766525e42b80de1c04c39910dbaab2b954a659dcf91fe13924"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/base/src/utils/parseGeneratorConfig.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 133266, "scanner": "repobility-threat-engine", "fingerprint": "9e578c9a92c6db3059749a87b6381fb6d832633aafd8c5c31bb1e9b4d4fda59b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e578c9a92c6db3059749a87b6381fb6d832633aafd8c5c31bb1e9b4d4fda59b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/base/src/AbstractGeneratorCli.ts"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 133265, "scanner": "repobility-threat-engine", "fingerprint": "051e12c59f979e7ccf7e6d24ce8fe64f62eec260eee59156178fc8609f99a572", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|051e12c59f979e7ccf7e6d24ce8fe64f62eec260eee59156178fc8609f99a572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/setup-python.sh"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 133264, "scanner": "repobility-threat-engine", "fingerprint": "aff63520b5c2ca14730fbe6feb64b6098b0c14380f6787ba1dcafba224c1bb08", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aff63520b5c2ca14730fbe6feb64b6098b0c14380f6787ba1dcafba224c1bb08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 133263, "scanner": "repobility-threat-engine", "fingerprint": "abeb24076d92b50094c8ced448f1e101bcfe976bf9271e35ac81e87832fcb0d4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|abeb24076d92b50094c8ced448f1e101bcfe976bf9271e35ac81e87832fcb0d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/typescript/utils/core-utilities/src/core/fetcher/makePassthroughRequest.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 133262, "scanner": "repobility-threat-engine", "fingerprint": "5f3d4bdd568aae166925716d1e500d4ddfd4722ef868431959d440f6bee20ea2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5f3d4bdd568aae166925716d1e500d4ddfd4722ef868431959d440f6bee20ea2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/ruby-v2/base/src/asIs/internal/http/raw_client.Template.rb"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 133261, "scanner": "repobility-threat-engine", "fingerprint": "e573e727d7466706c561bbf156c12d6b8d555083ef000715a22401670abc643c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e573e727d7466706c561bbf156c12d6b8d555083ef000715a22401670abc643c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 36 more): Same pattern found in 36 additional files. Review if needed."}, "properties": {"repobilityId": 133260, "scanner": "repobility-threat-engine", "fingerprint": "e73953417d9f2ca9f8a94fbd30ff8e6f289ec5e7444c727341ccdd69f1a797de", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 36 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "strip_dangling_refs", "breakdown": {"if": 4, "elif": 1, "recursion": 2, "nested_bonus": 6}, "aggregated": true, "complexity": 13, "correlation_key": "fp|e73953417d9f2ca9f8a94fbd30ff8e6f289ec5e7444c727341ccdd69f1a797de", "aggregated_count": 36}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `generators/java/generator-utils/src/main/resources/gradle-wrapper/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `generators/java/generator-utils/src/main/resources/gradle-wrapper/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,764 bytes) committed to a repo that otherwise has 111671 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed b"}, "properties": {"repobilityId": 133583, "scanner": "repobility-supply-chain", "fingerprint": "b54972bed314a5b446a1e357e78d8817f73fad2a182e6dca56b2187500d709f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b54972bed314a5b446a1e357e78d8817f73fad2a182e6dca56b2187500d709f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/generator-utils/src/main/resources/gradle-wrapper/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `generators/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `generators/java/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (58,910 bytes) committed to a repo that otherwise has 111671 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 133582, "scanner": "repobility-supply-chain", "fingerprint": "e687153b1aaf825398e29d531d1a895016d21be0174b0d720cada1f7178627f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e687153b1aaf825398e29d531d1a895016d21be0174b0d720cada1f7178627f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.16-alpine3.23` not pinned by digest: `FROM node:24.16-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133581, "scanner": "repobility-supply-chain", "fingerprint": "ba56d8fdf7958933cbdf7a809653eeff8ba024956699099d82e6cdaf3d7e885b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba56d8fdf7958933cbdf7a809653eeff8ba024956699099d82e6cdaf3d7e885b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/rust/model/Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:1.91-alpine3.23` not pinned by digest: `FROM rust:1.91-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133580, "scanner": "repobility-supply-chain", "fingerprint": "ca5a9752930a1de8062548758658e81e89aae3e8bab47c05bba985720e3c5d73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca5a9752930a1de8062548758658e81e89aae3e8bab47c05bba985720e3c5d73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/rust/model/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.16-alpine3.23` not pinned by digest: `FROM node:24.16-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133579, "scanner": "repobility-supply-chain", "fingerprint": "22699465e03a420ce18802c6822697cf5f317a4b5e0323b7261b785ef5d624ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22699465e03a420ce18802c6822697cf5f317a4b5e0323b7261b785ef5d624ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/rust/sdk/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:1.91-alpine3.23` not pinned by digest: `FROM rust:1.91-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133578, "scanner": "repobility-supply-chain", "fingerprint": "ce9240825763d2101cb3b40b071b1689c91313001872087edbdf0b9c499191f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ce9240825763d2101cb3b40b071b1689c91313001872087edbdf0b9c499191f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/rust/sdk/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `composer:2.9.7` not pinned by digest: `FROM composer:2.9.7` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133577, "scanner": "repobility-supply-chain", "fingerprint": "47ff030b63f75f394d6c9804344cca304a1a8d7f118875113111d44b1b210810", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47ff030b63f75f394d6c9804344cca304a1a8d7f118875113111d44b1b210810"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/model/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.16-alpine3.23` not pinned by digest: `FROM node:24.16-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133576, "scanner": "repobility-supply-chain", "fingerprint": "33062ca1dc332eb5801aa5e295ce0c3fb9aaee779c3e1ecfecb6dc7d4c660cec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33062ca1dc332eb5801aa5e295ce0c3fb9aaee779c3e1ecfecb6dc7d4c660cec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/model/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `composer:2.9.7` not pinned by digest: `FROM composer:2.9.7` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133575, "scanner": "repobility-supply-chain", "fingerprint": "4e3f051c6f4a0ee670b229853b3359d4e556dbee678dc4a879f229b1f6b2a797", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e3f051c6f4a0ee670b229853b3359d4e556dbee678dc4a879f229b1f6b2a797"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/sdk/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.16-alpine3.23` not pinned by digest: `FROM node:24.16-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133574, "scanner": "repobility-supply-chain", "fingerprint": "c93872e7020c56df7aa63a81cb44549f43c51705a358e71311100add213c2c78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c93872e7020c56df7aa63a81cb44549f43c51705a358e71311100add213c2c78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/sdk/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.16-trixie-slim` not pinned by digest: `FROM node:24.16-trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133573, "scanner": "repobility-supply-chain", "fingerprint": "10ad4d53a61e7aeea04e399632a86dccac1c71a3d38d6311e7ce88d3a62d9775", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10ad4d53a61e7aeea04e399632a86dccac1c71a3d38d6311e7ce88d3a62d9775"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/python-poetry/poetry` pinned to mutable rev `1.2`: `.pre-commit-config.yaml` references `https://github.com/python-poetry/poetry` at `rev: 1.2`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 133572, "scanner": "repobility-supply-chain", "fingerprint": "bfc6179dfdee41cfa7cbce56bbce6d2cdbfe1a458c879b74fa98bf60d6f8e144", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfc6179dfdee41cfa7cbce56bbce6d2cdbfe1a458c879b74fa98bf60d6f8e144"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/.pre-commit-config.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.11.5`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev: v0.11.5`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 133571, "scanner": "repobility-supply-chain", "fingerprint": "30bedbf687779e77212b65760c42506ae9925519670b74ab08ae7c522da0b614", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|30bedbf687779e77212b65760c42506ae9925519670b74ab08ae7c522da0b614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/.pre-commit-config.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/asottile/yesqa` pinned to mutable rev `v1.4.0`: `.pre-commit-config.yaml` references `https://github.com/asottile/yesqa` at `rev: v1.4.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 133570, "scanner": "repobility-supply-chain", "fingerprint": "ab29897b204cf24e6297d90610212d04dd6442a143d30f0f3232a9ba140f805e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab29897b204cf24e6297d90610212d04dd6442a143d30f0f3232a9ba140f805e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/.pre-commit-config.yaml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/pygrep-hooks` pinned to mutable rev `v1.9.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pygrep-hooks` at `rev: v1.9.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 133569, "scanner": "repobility-supply-chain", "fingerprint": "aebab86eb90f9363f2a62e3dc4d6881ce026c5859130447c0e62bffec832c913", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aebab86eb90f9363f2a62e3dc4d6881ce026c5859130447c0e62bffec832c913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/.pre-commit-config.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "[MINED131] pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v4.3.0`: `.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v4.3.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"repobilityId": 133568, "scanner": "repobility-supply-chain", "fingerprint": "9e26024e8ea5730b457578de4b486730bdb016a1c5f2fbe7ce07a956abb8c514", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e26024e8ea5730b457578de4b486730bdb016a1c5f2fbe7ce07a956abb8c514"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/.pre-commit-config.yaml"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.16-alpine3.23` not pinned by digest: `FROM node:24.16-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133567, "scanner": "repobility-supply-chain", "fingerprint": "e280e9d4f0b1dd088dc2130f0a5eb5489a8a34a90430544bab2692d79fb60d00", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e280e9d4f0b1dd088dc2130f0a5eb5489a8a34a90430544bab2692d79fb60d00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/openapi/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133541, "scanner": "repobility-supply-chain", "fingerprint": "0ce5191c514001b318b2f4eeaa926b6d75478372dd6f408e77484f3feb7a8962", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ce5191c514001b318b2f4eeaa926b6d75478372dd6f408e77484f3feb7a8962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/go-sdk/nullable-request-body/dynamic-snippets-disabled/.github/workflows/ci.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v4`: `uses: actions/setup-go@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133540, "scanner": "repobility-supply-chain", "fingerprint": "445d529d2709adaeab2aa644a303f2a86611b09ff1f91a5776f8e42003efa7bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|445d529d2709adaeab2aa644a303f2a86611b09ff1f91a5776f8e42003efa7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/go-sdk/no-content-response/.github/workflows/ci.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133539, "scanner": "repobility-supply-chain", "fingerprint": "439ad8e89c8ac6560d78103d5c36a36aeaaf683082c0239784ba1a350f3690f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|439ad8e89c8ac6560d78103d5c36a36aeaaf683082c0239784ba1a350f3690f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/go-sdk/no-content-response/.github/workflows/ci.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `golangci/golangci-lint-action` pinned to mutable ref `@v9`: `uses: golangci/golangci-lint-action@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133538, "scanner": "repobility-supply-chain", "fingerprint": "a5c7f7b095a34270cbcacd2344b1a62ca67dcf6f4310150ae90ed1a89425ee34", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a5c7f7b095a34270cbcacd2344b1a62ca67dcf6f4310150ae90ed1a89425ee34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/go-sdk/no-content-response/.github/workflows/ci.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v4`: `uses: actions/setup-go@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133537, "scanner": "repobility-supply-chain", "fingerprint": "92291709a90017429d8cf125bcc5700b88d03dadf166eb0bb70b0a84d892af45", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92291709a90017429d8cf125bcc5700b88d03dadf166eb0bb70b0a84d892af45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/go-sdk/no-content-response/.github/workflows/ci.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133536, "scanner": "repobility-supply-chain", "fingerprint": "757cde5f3f1fc2cf1484dbd957874dbf53fda2c95f4b569650969858d1b25da4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|757cde5f3f1fc2cf1484dbd957874dbf53fda2c95f4b569650969858d1b25da4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/go-sdk/no-content-response/.github/workflows/ci.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v4`: `uses: actions/setup-go@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133535, "scanner": "repobility-supply-chain", "fingerprint": "9eb3c0176112d7ed5c7195406b83c14f03d012993a1f482cd11e4f5cf18e6917", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9eb3c0176112d7ed5c7195406b83c14f03d012993a1f482cd11e4f5cf18e6917"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/go-sdk/no-content-response/.github/workflows/ci.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133534, "scanner": "repobility-supply-chain", "fingerprint": "a6c02f941f4c3a24242dd62aeb2445994ffcf1b46e59192cca5badb333773c16", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6c02f941f4c3a24242dd62aeb2445994ffcf1b46e59192cca5badb333773c16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/go-sdk/no-content-response/.github/workflows/ci.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133533, "scanner": "repobility-supply-chain", "fingerprint": "e6a11dde092de3975693c4265849bfd69e233d5c6cb660dae231a19cfeec0c45", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6a11dde092de3975693c4265849bfd69e233d5c6cb660dae231a19cfeec0c45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133532, "scanner": "repobility-supply-chain", "fingerprint": "6508920d0d8badcae7a5afba4bc61b186e42454fd38fb9ca982ba85ec7d34928", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6508920d0d8badcae7a5afba4bc61b186e42454fd38fb9ca982ba85ec7d34928"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133531, "scanner": "repobility-supply-chain", "fingerprint": "51fdbea5062a13cee6d7f42d6dd8185c22156a1df69ca9ee23d6f5e06b32e2df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51fdbea5062a13cee6d7f42d6dd8185c22156a1df69ca9ee23d6f5e06b32e2df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133530, "scanner": "repobility-supply-chain", "fingerprint": "0f05f204229c5d4d5db7ea7cf0cf4bb4ff381d32aadba7d141c24803b8b8b660", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f05f204229c5d4d5db7ea7cf0cf4bb4ff381d32aadba7d141c24803b8b8b660"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133529, "scanner": "repobility-supply-chain", "fingerprint": "5d720c798704d478a0ea9e47b366cd9d995103c6a52bd91081d3901905481a29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d720c798704d478a0ea9e47b366cd9d995103c6a52bd91081d3901905481a29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133528, "scanner": "repobility-supply-chain", "fingerprint": "71b01fe7287c77df619ec92b3e1937518f9aaedb7d6858d73eb2b29a30f4708f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71b01fe7287c77df619ec92b3e1937518f9aaedb7d6858d73eb2b29a30f4708f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133527, "scanner": "repobility-supply-chain", "fingerprint": "2f42e05579e4f431b34904c76ab2e10e1058ddea28ca1381d636b63075da4a32", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f42e05579e4f431b34904c76ab2e10e1058ddea28ca1381d636b63075da4a32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133526, "scanner": "repobility-supply-chain", "fingerprint": "47d164bad56ee7f10482c1eb02a10ec81391262b1217ba42649791242e7e9625", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|47d164bad56ee7f10482c1eb02a10ec81391262b1217ba42649791242e7e9625"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133525, "scanner": "repobility-supply-chain", "fingerprint": "12eb2142882118b25977dcc3a11ab6908326c0ef88854c99b86282dd5d574408", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12eb2142882118b25977dcc3a11ab6908326c0ef88854c99b86282dd5d574408"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133524, "scanner": "repobility-supply-chain", "fingerprint": "62ac16a2a623d19e7af0720072cece2a96d79922581c04586b048d4b1c673770", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62ac16a2a623d19e7af0720072cece2a96d79922581c04586b048d4b1c673770"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133523, "scanner": "repobility-supply-chain", "fingerprint": "b92ecf3be040b4383cbe031b930c5ffdf40be56e17ea274004b0beddc42a6dfe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b92ecf3be040b4383cbe031b930c5ffdf40be56e17ea274004b0beddc42a6dfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-npm/.github/workflows/ci.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133522, "scanner": "repobility-supply-chain", "fingerprint": "c1f5eaa12271802710f842f949fb149a525dd69aadb9abe74802926c8a9ba0d5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c1f5eaa12271802710f842f949fb149a525dd69aadb9abe74802926c8a9ba0d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-no-publish/.github/workflows/ci.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133521, "scanner": "repobility-supply-chain", "fingerprint": "68b246b6f2da378d72834d865dd49622f17e2986c7f67858b2ba77235f72e339", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|68b246b6f2da378d72834d865dd49622f17e2986c7f67858b2ba77235f72e339"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-no-publish/.github/workflows/ci.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133520, "scanner": "repobility-supply-chain", "fingerprint": "b3dc1f074286456d91064d1005b07e4464f07a6dfae2c8151470293671ebb7fc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b3dc1f074286456d91064d1005b07e4464f07a6dfae2c8151470293671ebb7fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-no-publish/.github/workflows/ci.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133519, "scanner": "repobility-supply-chain", "fingerprint": "fe99c3732c1e519d2ba1f04c893f4606cd5e32238d3624edcd0fb714c9d85bac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fe99c3732c1e519d2ba1f04c893f4606cd5e32238d3624edcd0fb714c9d85bac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-no-publish/.github/workflows/ci.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`: `uses: actions-rust-lang/setup-rust-toolchain@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133518, "scanner": "repobility-supply-chain", "fingerprint": "1ec505e26c4068ee7037a7a4243d8537e703022ff4686460c71a90cbecab22cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ec505e26c4068ee7037a7a4243d8537e703022ff4686460c71a90cbecab22cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-no-publish/.github/workflows/ci.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 133517, "scanner": "repobility-supply-chain", "fingerprint": "f1186367062f0f2bb2ac7e5195e0b0a11428a572e963b3f90e615fd50f9edaab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1186367062f0f2bb2ac7e5195e0b0a11428a572e963b3f90e615fd50f9edaab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/cli/query-parameters-openapi/github-no-publish/.github/workflows/ci.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.14.9` not pinned by digest: `FROM alpine:3.14.9` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133516, "scanner": "repobility-supply-chain", "fingerprint": "6c5c5275aac82a362bab2363f2b110362b83cdd3146d21c4879c96bc8a6a641c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c5c5275aac82a362bab2363f2b110362b83cdd3146d21c4879c96bc8a6a641c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/generation/local-generation/docker-utils/src/__test__/resources/basic-writer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker:29.5.2-dind-alpine3.23` not pinned by digest: `FROM docker:29.5.2-dind-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133515, "scanner": "repobility-supply-chain", "fingerprint": "940b134aabb89724d900603be2a0e6cbe5aaf3c45b1d189f4859ff35bc1e9da9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|940b134aabb89724d900603be2a0e6cbe5aaf3c45b1d189f4859ff35bc1e9da9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.php"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:1.26.4-alpine3.23` not pinned by digest: `FROM golang:1.26.4-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133514, "scanner": "repobility-supply-chain", "fingerprint": "bb3c5d537b41bf752fbc5525ea61772f980b5a848ba1f1427a88c21bbf7c46e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bb3c5d537b41bf752fbc5525ea61772f980b5a848ba1f1427a88c21bbf7c46e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.php"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133513, "scanner": "repobility-supply-chain", "fingerprint": "56ddcb5645613a5a699879f7da47ea5d7f1e863e2b87c8d3a2690d54315d72c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56ddcb5645613a5a699879f7da47ea5d7f1e863e2b87c8d3a2690d54315d72c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.php"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet/sdk:10.0` not pinned by digest: `FROM mcr.microsoft.com/dotnet/sdk:10.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133512, "scanner": "repobility-supply-chain", "fingerprint": "6073d25b18b900ce157f60d65e222a8e39515067408458fbc2119830cf3beef3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6073d25b18b900ce157f60d65e222a8e39515067408458fbc2119830cf3beef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.csharp"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24.16.0-trixie-slim` not pinned by digest: `FROM node:24.16.0-trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133511, "scanner": "repobility-supply-chain", "fingerprint": "0ed79ae65cae9ccf302cb0c6a53072f4cdd2148895882805840d6c922a40afe9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ed79ae65cae9ccf302cb0c6a53072f4cdd2148895882805840d6c922a40afe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:1.26.4-trixie` not pinned by digest: `FROM golang:1.26.4-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133510, "scanner": "repobility-supply-chain", "fingerprint": "82871667ffa5167b839f33e773fd73a8e0e0c3ae23097247ffbeb9b5f684bd82", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82871667ffa5167b839f33e773fd73a8e0e0c3ae23097247ffbeb9b5f684bd82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker:29.5.2-dind-alpine3.23` not pinned by digest: `FROM docker:29.5.2-dind-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133509, "scanner": "repobility-supply-chain", "fingerprint": "96a2174d5b3ef995e6a6c614a779a687fb4da553cee0a910785678651d3f74a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96a2174d5b3ef995e6a6c614a779a687fb4da553cee0a910785678651d3f74a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.go"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:1.26.4-alpine3.23` not pinned by digest: `FROM golang:1.26.4-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133508, "scanner": "repobility-supply-chain", "fingerprint": "5c1e7d934305d29e2a99c17cf2962c984c126e6c82854d69498c3949834a5dd7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c1e7d934305d29e2a99c17cf2962c984c126e6c82854d69498c3949834a5dd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.go"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133507, "scanner": "repobility-supply-chain", "fingerprint": "c4d35059057ddf1039be9649797a1f2220d6da0839db657405015cdba0de1e7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4d35059057ddf1039be9649797a1f2220d6da0839db657405015cdba0de1e7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker:29.5.2-dind-alpine3.23` not pinned by digest: `FROM docker:29.5.2-dind-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133506, "scanner": "repobility-supply-chain", "fingerprint": "e5ab74b4be357ba50efe767673aac0dcd56fe0ca0dfc4fc727baddeff9c724c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5ab74b4be357ba50efe767673aac0dcd56fe0ca0dfc4fc727baddeff9c724c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.python"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `golang:1.26.4-alpine3.23` not pinned by digest: `FROM golang:1.26.4-alpine3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133505, "scanner": "repobility-supply-chain", "fingerprint": "a7121636369e8e58d1ecdd8afc56dfe457cf3b0de3d05fb607afc39d56d164f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7121636369e8e58d1ecdd8afc56dfe457cf3b0de3d05fb607afc39d56d164f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.python"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.23` not pinned by digest: `FROM alpine:3.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133504, "scanner": "repobility-supply-chain", "fingerprint": "48f40eac11d1334a953e036b5e63352c89f770cfe2ed1600eb98820eaf91f715", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48f40eac11d1334a953e036b5e63352c89f770cfe2ed1600eb98820eaf91f715"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.python"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `redhat/ubi9:9.7` not pinned by digest: `FROM redhat/ubi9:9.7` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133503, "scanner": "repobility-supply-chain", "fingerprint": "7bc64ec86f5e949a00d3e2eb67adf76b84c588a98624f503538a1fc47ab83449", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7bc64ec86f5e949a00d3e2eb67adf76b84c588a98624f503538a1fc47ab83449"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.java"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:1.95.0-bookworm` not pinned by digest: `FROM rust:1.95.0-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 133502, "scanner": "repobility-supply-chain", "fingerprint": "06bce8710ffebe49eaab77470bf32c3d39a1fcc30392722216de39f324f5ea35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06bce8710ffebe49eaab77470bf32c3d39a1fcc30392722216de39f324f5ea35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/seed/Dockerfile.cli"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test__create_tree: Test function `test__create_tree` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133501, "scanner": "repobility-ast-engine", "fingerprint": "334251df789e3f370cdf83d5b48194eddac586947dfca71804bdd82ad8f1abec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|334251df789e3f370cdf83d5b48194eddac586947dfca71804bdd82ad8f1abec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/allof/no-custom-config/tests/wire/test_.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test__create_plant: Test function `test__create_plant` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133500, "scanner": "repobility-ast-engine", "fingerprint": "99c7df58b287b94a1a7909711f6b7086d885d3a3863f894f5fdeb5d5181da78b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|99c7df58b287b94a1a7909711f6b7086d885d3a3863f894f5fdeb5d5181da78b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/allof/no-custom-config/tests/wire/test_.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test__get_organization: Test function `test__get_organization` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133499, "scanner": "repobility-ast-engine", "fingerprint": "9480b22224dfbbddec9e02f597fcf9d8b896c8b9749002e9d760d4b3dcb11582", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9480b22224dfbbddec9e02f597fcf9d8b896c8b9749002e9d760d4b3dcb11582"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/allof/no-custom-config/tests/wire/test_.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test__get_entity: Test function `test__get_entity` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133498, "scanner": "repobility-ast-engine", "fingerprint": "b8ac33f8ca1f75e158c2b0bd78d31cae082113d83907e6ca17f560647486536b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b8ac33f8ca1f75e158c2b0bd78d31cae082113d83907e6ca17f560647486536b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/allof/no-custom-config/tests/wire/test_.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test__list_users: Test function `test__list_users` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133497, "scanner": "repobility-ast-engine", "fingerprint": "3010d38ffb37db8e0672bd2923b4347dae31c6069348b3472ec73553af4a5d04", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3010d38ffb37db8e0672bd2923b4347dae31c6069348b3472ec73553af4a5d04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/allof/no-custom-config/tests/wire/test_.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test__create_rule: Test function `test__create_rule` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133496, "scanner": "repobility-ast-engine", "fingerprint": "8d13cd26e16a79767b3cb961b11a9877198a390f76c0da2d55a91b65c603468d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8d13cd26e16a79767b3cb961b11a9877198a390f76c0da2d55a91b65c603468d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/allof/no-custom-config/tests/wire/test_.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test__search_rule_types: Test function `test__search_rule_types` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133495, "scanner": "repobility-ast-engine", "fingerprint": "15a01548153fdd3e0c4e65d9159d6393a83efdf4141ecaddcce1eba174132dcc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|15a01548153fdd3e0c4e65d9159d6393a83efdf4141ecaddcce1eba174132dcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/allof/no-custom-config/tests/wire/test_.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_completions_stream_without_terminator: Test function `test_completions_stream_without_terminator` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133494, "scanner": "repobility-ast-engine", "fingerprint": "592290be7641ea9d15b19f29654685d6f8192444b87c4d4ab5b4ecbb8cafab15", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|592290be7641ea9d15b19f29654685d6f8192444b87c4d4ab5b4ecbb8cafab15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/server-sent-events/with-wire-tests/tests/wire/test_completions.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_completions_stream: Test function `test_completions_stream` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133493, "scanner": "repobility-ast-engine", "fingerprint": "30ed134a250bd3172c350baa255cb83475a84fe3d7ec29ba7e90b67d952340eb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|30ed134a250bd3172c350baa255cb83475a84fe3d7ec29ba7e90b67d952340eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/server-sent-events/with-wire-tests/tests/wire/test_completions.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test__chat: Test function `test__chat` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133473, "scanner": "repobility-ast-engine", "fingerprint": "4351548d28fff26753c8ac033fb6d4761b4cec620a41147ebf6ee4deacadece3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4351548d28fff26753c8ac033fb6d4761b4cec620a41147ebf6ee4deacadece3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/python-streaming-parameter-openapi/with-wire-tests/tests/wire/test_.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test__chat_stream: Test function `test__chat_stream` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133472, "scanner": "repobility-ast-engine", "fingerprint": "67c91874353ab66822aa57123a0bc36be9da9fac080fd3dc9737a701e8664b0a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67c91874353ab66822aa57123a0bc36be9da9fac080fd3dc9737a701e8664b0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/python-streaming-parameter-openapi/with-wire-tests/tests/wire/test_.py"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_method_name: Test function `test_method_name` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133469, "scanner": "repobility-ast-engine", "fingerprint": "ebe329aa8bae62e9dc8d73da9a859dc98ce1dff9ad99f95ea0a1d01b3e177656", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebe329aa8bae62e9dc8d73da9a859dc98ce1dff9ad99f95ea0a1d01b3e177656"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/nullable-request-body/src/seed/test_group/raw_client.py"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_method_name: Test function `test_method_name` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133468, "scanner": "repobility-ast-engine", "fingerprint": "612fd0f4933c9d790e29be08a9801d0b230c7b416027717c65fc63ea436d4323", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|612fd0f4933c9d790e29be08a9801d0b230c7b416027717c65fc63ea436d4323"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/nullable-request-body/src/seed/test_group/raw_client.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_method_name: Test function `test_method_name` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133467, "scanner": "repobility-ast-engine", "fingerprint": "e4c78eee6e824743713f967e3790c80f883e3682edb6f35ddaeb6e1fbe294836", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e4c78eee6e824743713f967e3790c80f883e3682edb6f35ddaeb6e1fbe294836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/nullable-request-body/src/seed/test_group/client.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_method_name: Test function `test_method_name` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133466, "scanner": "repobility-ast-engine", "fingerprint": "23c452efe55c20990d415addeec1e3c394e86cb7a0e7c195ef9cc83518376297", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23c452efe55c20990d415addeec1e3c394e86cb7a0e7c195ef9cc83518376297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/nullable-request-body/src/seed/test_group/client.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_group: Test function `test_group` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133463, "scanner": "repobility-ast-engine", "fingerprint": "b905111a9266c3fa928d9497142aac52321fe6ee8c6dd8a1fb0ede6b74071b6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b905111a9266c3fa928d9497142aac52321fe6ee8c6dd8a1fb0ede6b74071b6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/nullable-request-body/src/seed/client.py"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_group: Test function `test_group` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 133462, "scanner": "repobility-ast-engine", "fingerprint": "81e7c8aafbb46c8083e9637ef68af95e06ba06a83e38b32efca54c53604c983d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|81e7c8aafbb46c8083e9637ef68af95e06ba06a83e38b32efca54c53604c983d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/nullable-request-body/src/seed/client.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_base_url` used but never assigned in __init__: Method `stream` of class `HttpClient` reads `self.get_base_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133459, "scanner": "repobility-ast-engine", "fingerprint": "c87142b9bc066e936b435d4823394bf63e412870317f12d1459cdb7028fa63b1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c87142b9bc066e936b435d4823394bf63e412870317f12d1459cdb7028fa63b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/src/seed/core/http_client.py"}, "region": {"startLine": 474}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.request` used but never assigned in __init__: Method `request` of class `HttpClient` reads `self.request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133458, "scanner": "repobility-ast-engine", "fingerprint": "c5e114a9c70c481dca671f16f0108f0f1cd31ec31d59404b12e256d38db6a2b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c5e114a9c70c481dca671f16f0108f0f1cd31ec31d59404b12e256d38db6a2b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/src/seed/core/http_client.py"}, "region": {"startLine": 395}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.request` used but never assigned in __init__: Method `request` of class `HttpClient` reads `self.request`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133457, "scanner": "repobility-ast-engine", "fingerprint": "eaa0ea75b1341c5cf851a6f84f9ff5cdd4b652e5926444664cef3474a27017af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eaa0ea75b1341c5cf851a6f84f9ff5cdd4b652e5926444664cef3474a27017af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/src/seed/core/http_client.py"}, "region": {"startLine": 415}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_base_url` used but never assigned in __init__: Method `request` of class `HttpClient` reads `self.get_base_url`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133456, "scanner": "repobility-ast-engine", "fingerprint": "761d9af8d58b8b15e72d7296d13d1e16ac7a81ecd0eac5f5a72205d7dec9fc1f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|761d9af8d58b8b15e72d7296d13d1e16ac7a81ecd0eac5f5a72205d7dec9fc1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/src/seed/core/http_client.py"}, "region": {"startLine": 314}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_default_aiohttp_client_defaults` of class `TestDefaultClientsWithAiohttp` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133455, "scanner": "repobility-ast-engine", "fingerprint": "0cd349f3e8acc5d447a150b3dafd835e44766fcec048cbd839da4ec7d659cadd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0cd349f3e8acc5d447a150b3dafd835e44766fcec048cbd839da4ec7d659cadd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_default_aiohttp_client_defaults` of class `TestDefaultClientsWithAiohttp` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133454, "scanner": "repobility-ast-engine", "fingerprint": "b32571f6a17480e37e511fdd6198a578d7866748f3d8153da06619d4c77343ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b32571f6a17480e37e511fdd6198a578d7866748f3d8153da06619d4c77343ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsInstance` used but never assigned in __init__: Method `test_default_aiohttp_client_defaults` of class `TestDefaultClientsWithAiohttp` reads `self.assertIsInstance`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133453, "scanner": "repobility-ast-engine", "fingerprint": "b9436160406107314a85ff51254358571a936bebd79efd137bd3d570b6f5f5e4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b9436160406107314a85ff51254358571a936bebd79efd137bd3d570b6f5f5e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertRaises` used but never assigned in __init__: Method `test_default_aiohttp_client_raises_without_package` of class `TestDefaultClientsWithoutAiohttp` reads `self.assertRaises`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133452, "scanner": "repobility-ast-engine", "fingerprint": "6fc9814238df3def36ef7f07db4e3cb62cb6f02cb883acc6b082afa9589e620d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fc9814238df3def36ef7f07db4e3cb62cb6f02cb883acc6b082afa9589e620d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_default_aiohttp_client_raises_without_package` of class `TestDefaultClientsWithoutAiohttp` reads `self.assertIn`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133451, "scanner": "repobility-ast-engine", "fingerprint": "48a9f46f93abebca4374fb39fe88f60f2f7f119ebffedf794f10d94adc5cd3d6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|48a9f46f93abebca4374fb39fe88f60f2f7f119ebffedf794f10d94adc5cd3d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_default_async_httpx_client_overrides` of class `TestDefaultClientsWithoutAiohttp` reads `self.assertFalse`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133450, "scanner": "repobility-ast-engine", "fingerprint": "05535a91dbf1960e9ada641743832387c44016cf5f375b2e93a9d0b46a732795", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|05535a91dbf1960e9ada641743832387c44016cf5f375b2e93a9d0b46a732795"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_default_async_httpx_client_overrides` of class `TestDefaultClientsWithoutAiohttp` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133449, "scanner": "repobility-ast-engine", "fingerprint": "8271e5d13e7d3ef817117a2ba22e58d6f9135abc3b1aaa5bf3dbbad2e6c010f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8271e5d13e7d3ef817117a2ba22e58d6f9135abc3b1aaa5bf3dbbad2e6c010f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_default_async_httpx_client_defaults` of class `TestDefaultClientsWithoutAiohttp` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133448, "scanner": "repobility-ast-engine", "fingerprint": "573e38965b38ba1df98e75f2c2d4e5ce18f2f10f73d0e1ad96614cfb0d22c017", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|573e38965b38ba1df98e75f2c2d4e5ce18f2f10f73d0e1ad96614cfb0d22c017"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_default_async_httpx_client_defaults` of class `TestDefaultClientsWithoutAiohttp` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133447, "scanner": "repobility-ast-engine", "fingerprint": "b4e596962c7564e7f3425512c0e7ae0cc7873bc7c7f9d1fba8348f75771bf879", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b4e596962c7564e7f3425512c0e7ae0cc7873bc7c7f9d1fba8348f75771bf879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsInstance` used but never assigned in __init__: Method `test_default_async_httpx_client_defaults` of class `TestDefaultClientsWithoutAiohttp` reads `self.assertIsInstance`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133446, "scanner": "repobility-ast-engine", "fingerprint": "801cbf41a2e60a16b042525c9c4123ae952c40f7f07d681f63cb8c2646b653ae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|801cbf41a2e60a16b042525c9c4123ae952c40f7f07d681f63cb8c2646b653ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_follow_redirects_none` of class `TestMakeDefaultAsyncClientWithAiohttp` reads `self.assertFalse`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133445, "scanner": "repobility-ast-engine", "fingerprint": "308597eb47423a00c06025088239714d036703f74c4440e9f32f00f8ac1cd05c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|308597eb47423a00c06025088239714d036703f74c4440e9f32f00f8ac1cd05c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsInstance` used but never assigned in __init__: Method `test_follow_redirects_none` of class `TestMakeDefaultAsyncClientWithAiohttp` reads `self.assertIsInstance`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133444, "scanner": "repobility-ast-engine", "fingerprint": "e2c83c2d0e9d94301aa99eab91707ecbe98769b3a6f8e220f0a6fa7c02723fe9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2c83c2d0e9d94301aa99eab91707ecbe98769b3a6f8e220f0a6fa7c02723fe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_returns_aiohttp_client` of class `TestMakeDefaultAsyncClientWithAiohttp` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133443, "scanner": "repobility-ast-engine", "fingerprint": "d1ca1bd3b451b999e657579de6fc5254b2ac64f51fe8b2b4cafef0acaaa8605c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1ca1bd3b451b999e657579de6fc5254b2ac64f51fe8b2b4cafef0acaaa8605c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_returns_aiohttp_client` of class `TestMakeDefaultAsyncClientWithAiohttp` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133442, "scanner": "repobility-ast-engine", "fingerprint": "6e68f5e282d9a8162484ffb3163bb6a3fbb15882a5b62a4daa506c3ad4c52e6e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e68f5e282d9a8162484ffb3163bb6a3fbb15882a5b62a4daa506c3ad4c52e6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsInstance` used but never assigned in __init__: Method `test_returns_aiohttp_client` of class `TestMakeDefaultAsyncClientWithAiohttp` reads `self.assertIsInstance`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133441, "scanner": "repobility-ast-engine", "fingerprint": "5d97eaec45b9330e3d4ad28ab4bc785e1ae044fe06412ba005645c1ea2d31e1a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5d97eaec45b9330e3d4ad28ab4bc785e1ae044fe06412ba005645c1ea2d31e1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIs` used but never assigned in __init__: Method `test_explicit_httpx_client_bypasses_autodetect` of class `TestMakeDefaultAsyncClientWithoutAiohttp` reads `self.assertIs`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133440, "scanner": "repobility-ast-engine", "fingerprint": "5852ef193dc7cada1fa8b5474e7005f870313ac9304333c163f96fb5f308daf8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5852ef193dc7cada1fa8b5474e7005f870313ac9304333c163f96fb5f308daf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertFalse` used but never assigned in __init__: Method `test_follow_redirects_none` of class `TestMakeDefaultAsyncClientWithoutAiohttp` reads `self.assertFalse`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133439, "scanner": "repobility-ast-engine", "fingerprint": "0895595990e48980425731c8a8ca1ab148d50fdeab724725c5b76bce1ef7b764", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0895595990e48980425731c8a8ca1ab148d50fdeab724725c5b76bce1ef7b764"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsInstance` used but never assigned in __init__: Method `test_follow_redirects_none` of class `TestMakeDefaultAsyncClientWithoutAiohttp` reads `self.assertIsInstance`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133438, "scanner": "repobility-ast-engine", "fingerprint": "75f1fe0179a71c534c4460658f50eb53da8bf7e102b0578c5c496af70269a99e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75f1fe0179a71c534c4460658f50eb53da8bf7e102b0578c5c496af70269a99e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_returns_httpx_async_client` of class `TestMakeDefaultAsyncClientWithoutAiohttp` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133437, "scanner": "repobility-ast-engine", "fingerprint": "075c5276fc3b7604ed27a6b9480da8a32d738a6f3f636116723ef86555ce34ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|075c5276fc3b7604ed27a6b9480da8a32d738a6f3f636116723ef86555ce34ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_returns_httpx_async_client` of class `TestMakeDefaultAsyncClientWithoutAiohttp` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133436, "scanner": "repobility-ast-engine", "fingerprint": "a92d54ba898068c7466f229f92b7510ac05ddece71aad5e15c23e90b0fe75670", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a92d54ba898068c7466f229f92b7510ac05ddece71aad5e15c23e90b0fe75670"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertIsInstance` used but never assigned in __init__: Method `test_returns_httpx_async_client` of class `TestMakeDefaultAsyncClientWithoutAiohttp` reads `self.assertIsInstance`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 133435, "scanner": "repobility-ast-engine", "fingerprint": "59bc655195b3979700b758b000e227bf7713931e4884bb134ac134485ac0868d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|59bc655195b3979700b758b000e227bf7713931e4884bb134ac134485ac0868d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "seed/python-sdk/no-content-response/tests/test_aiohttp_autodetect.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 133423, "scanner": "repobility-docker", "fingerprint": "5ad45604d2fe20b1a8e483875ad32e0a740414b1ee34706c7f02109259e5115d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5ad45604d2fe20b1a8e483875ad32e0a740414b1ee34706c7f02109259e5115d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python-v2/sdk/Dockerfile"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 133421, "scanner": "repobility-docker", "fingerprint": "2593afb969d75280a9eac8224331008ae56cfbda8dee4f6004600bc8b55575c9", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2593afb969d75280a9eac8224331008ae56cfbda8dee4f6004600bc8b55575c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python-v2/pydantic-model/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR015", "level": "error", "message": {"text": "Docker build context is very large"}, "properties": {"repobilityId": 133393, "scanner": "repobility-docker", "fingerprint": "b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Estimated Docker build context exceeds Repobility's size or file-count threshold.", "evidence": {"capped": true, "rule_id": "DKR015", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "largest_paths": [{"path": "generators/go/internal/fern/ir.json", "size_mb": 10.3}, {"path": "generators/go/internal/testdata/sdk/mergent/ir.json", "size_mb": 2.1}, {"path": "generators/go/internal/testdata/model/ir/ir.json", "size_mb": 1.3}, {"path": "generators/go/internal/testdata/sdk/root/ir.json", "size_mb": 1.3}, {"path": "test-definitions/fern/apis/property-access/ir.json", "size_mb": 1.0}], "included_files": 50000, "context_size_mb": 166.3, "correlation_key": "fp|b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC111", "level": "error", "message": {"text": "[SEC111] Django mark_safe / |safe filter on user data: Django's `mark_safe()` and `|safe` disable HTML autoescaping. Calling them on non-constant data is XSS."}, "properties": {"repobilityId": 133341, "scanner": "repobility-threat-engine", "fingerprint": "cebce5092d787e7d7163d4e122d30efe5e53caacf2d48403bf75d825d37141a9", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "safeString(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC111", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cebce5092d787e7d7163d4e122d30efe5e53caacf2d48403bf75d825d37141a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/src/fern_python/utils/name_resolver.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 133337, "scanner": "repobility-threat-engine", "fingerprint": "1e7bf90ed12e5ef79e6a1b762c63a2b1321837286fff6e5ffc29237e610945d8", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"charset=([^;\\s]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|28|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/shared/http_sse/_api.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 133335, "scanner": "repobility-threat-engine", "fingerprint": "2744b4952a09a2f373c07785f973887b002c4a310141c2178f210fffc677cc16", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2744b4952a09a2f373c07785f973887b002c4a310141c2178f210fffc677cc16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/shared/http_sse/_decoders.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 133334, "scanner": "repobility-threat-engine", "fingerprint": "c6eeb3942a5f1ecb1ff5eb54d733eec7a3b8c6ee27ac233dd01263a7c4759c6c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c6eeb3942a5f1ecb1ff5eb54d733eec7a3b8c6ee27ac233dd01263a7c4759c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/shared/datetime_utils.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED026", "level": "error", "message": {"text": "[MINED026] Fake Verification: assert True, expect(1).toBe(1), or other tautology used to fake passing tests."}, "properties": {"repobilityId": 133324, "scanner": "repobility-threat-engine", "fingerprint": "e7370d64c4529ce68bc78ecdde7063fff35170a863c865122ba326c963f62b53", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "fake-verification", "owasp": null, "cwe_ids": ["CWE-1126"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347959+00:00", "triaged_in_corpus": 15, "observations_count": 29905, "ai_coder_pattern_id": 5}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7370d64c4529ce68bc78ecdde7063fff35170a863c865122ba326c963f62b53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/sdk/src/main/java/com/fern/java/client/generators/TestGenerator.java"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 133323, "scanner": "repobility-threat-engine", "fingerprint": "8b3c0c04220b0d57e63595925f44278ee91a96ad5370d5931bc9c8336707071f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b3c0c04220b0d57e63595925f44278ee91a96ad5370d5931bc9c8336707071f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/install-gradle.sh"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 133319, "scanner": "repobility-threat-engine", "fingerprint": "d44dc8b7cdafb87daccf05bf3769723488a42f3cbfbf8ef80040fe0151940e50", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec($cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d44dc8b7cdafb87daccf05bf3769723488a42f3cbfbf8ef80040fe0151940e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/php/sdk/src/wire-tests/WireTestSetupGenerator.ts"}, "region": {"startLine": 270}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 133318, "scanner": "repobility-threat-engine", "fingerprint": "da4b9b3f04a2a4d2f09570a18681959622e87e52aa8274f233062b1c4c0bbbc4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|da4b9b3f04a2a4d2f09570a18681959622e87e52aa8274f233062b1c4c0bbbc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java/generator-utils/src/main/java/com/fern/java/JavaV2Adapter.java"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 133310, "scanner": "repobility-threat-engine", "fingerprint": "633bdcf447cde7306ae505be2a4ac8d0e8200086726a9119ccb0c717535543e5", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((p) => `${p.unsafeName}: ${p.type.toString()}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|633bdcf447cde7306ae505be2a4ac8d0e8200086726a9119ccb0c717535543e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/swift/sdk/src/reference/ReferenceConfigAssembler.ts"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 133309, "scanner": "repobility-threat-engine", "fingerprint": "b0c220e856114ac9a11655b6348a11c03711ae991ed3a3927538244ba782a611", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((requirePath) => `require \"${requirePath}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b0c220e856114ac9a11655b6348a11c03711ae991ed3a3927538244ba782a611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/ruby-v2/ast/src/ast/core/RubyFile.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 133308, "scanner": "repobility-threat-engine", "fingerprint": "5fbf501b5ff4be8c6e18dc5f0c24c4dc11833f4a40a9eab6033fc874e9083463", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((packageName) => `import ${packageName}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5fbf501b5ff4be8c6e18dc5f0c24c4dc11833f4a40a9eab6033fc874e9083463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/java-v2/ast/src/ast/core/JavaFile.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 133305, "scanner": "repobility-threat-engine", "fingerprint": "c1f815413670b618c414323c454ad044753e4e8b14099c1dc9f7e974f538319c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c1f815413670b618c414323c454ad044753e4e8b14099c1dc9f7e974f538319c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/internal/generator/sdk/internal/multipart.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 133289, "scanner": "repobility-threat-engine", "fingerprint": "e387e5fcaf8829d5ac38bb6c647e85f1e0e42cb9586d4df1ab3902a1ac7eaca6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e387e5fcaf8829d5ac38bb6c647e85f1e0e42cb9586d4df1ab3902a1ac7eaca6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/auth/provider.rs"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 133288, "scanner": "repobility-threat-engine", "fingerprint": "177a56e32eabe77cd6df54b3488acd6ae22129f8fb2a8d5def2485193330e155", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|177a56e32eabe77cd6df54b3488acd6ae22129f8fb2a8d5def2485193330e155"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/arg_source.rs"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 133287, "scanner": "repobility-threat-engine", "fingerprint": "35f195c64aa585a9f229b0c389668582da7a30ac4324f8118872a41b86425e2f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|35f195c64aa585a9f229b0c389668582da7a30ac4324f8118872a41b86425e2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/build.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 133285, "scanner": "repobility-threat-engine", "fingerprint": "ee08d938aad004a88529445b4f50c7bbf23f31e56f660cb1e4ca81b4f1482077", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "encoder.update(custom_encoder)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ee08d938aad004a88529445b4f50c7bbf23f31e56f660cb1e4ca81b4f1482077"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/core_utilities/shared/jsonable_encoder.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 133284, "scanner": "repobility-threat-engine", "fingerprint": "d7f2405cd823e25554565711046abba95eee418021158d70f4f5ec6ed75efda6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "referencesToHandle.delete(filePath);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d7f2405cd823e25554565711046abba95eee418021158d70f4f5ec6ed75efda6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python-v2/ast/src/PythonFile.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 133283, "scanner": "repobility-threat-engine", "fingerprint": "aeaa478679bd10f41b6c2673936c5d6d65119d1bab154ba9916223124fa787e6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "result.update({ context, snippet });", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aeaa478679bd10f41b6c2673936c5d6d65119d1bab154ba9916223124fa787e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/browser-compatible-base/src/dynamic-snippets/AbstractDynamicSnippetsGenerator.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 133272, "scanner": "repobility-threat-engine", "fingerprint": "93979c1c43c1df58145eec5d498fa90f2aa51ab94fd1976723da2779e46716c1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|93979c1c43c1df58145eec5d498fa90f2aa51ab94fd1976723da2779e46716c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/csharp/base/src/asIs/RawClient.Template.cs"}, "region": {"startLine": 259}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 133271, "scanner": "repobility-threat-engine", "fingerprint": "d9f2ed7bb6fc7a1323a3d440ebb7aa660438d13dc2914fa3c897189cd5dac4b4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d9f2ed7bb6fc7a1323a3d440ebb7aa660438d13dc2914fa3c897189cd5dac4b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/sdk/src/websocket/error.rs"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 133270, "scanner": "repobility-threat-engine", "fingerprint": "31b4d92ace350ae3a15196db51e2708f4051d0b4a2a4d6fb72509a5dcd385df4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(p", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|31b4d92ace350ae3a15196db51e2708f4051d0b4a2a4d6fb72509a5dcd385df4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/base/src/SourceFetcher.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 38 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, else=2, for=3, if=8, nested_bonus=23, ternary=1."}, "properties": {"repobilityId": 133259, "scanner": "repobility-threat-engine", "fingerprint": "f070e74b77e44d91884f2949b2c6a5ab42537a7fa34f1697caa5385472194f5c", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 38 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 8, "for": 3, "else": 2, "ternary": 1, "continue": 1, "nested_bonus": 23}, "complexity": 38, "correlation_key": "fp|f070e74b77e44d91884f2949b2c6a5ab42537a7fa34f1697caa5385472194f5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/cli/scripts/read-manifest.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AUTH0_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AUTH0_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133566, "scanner": "repobility-supply-chain", "fingerprint": "7c63ef423feedca6d1f6df911c296cfbcd61594ea407ebea629212a5dfee5f46", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c63ef423feedca6d1f6df911c296cfbcd61594ea407ebea629212a5dfee5f46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 464}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AUTH0_DOMAIN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AUTH0_DOMAIN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133565, "scanner": "repobility-supply-chain", "fingerprint": "42e42003fd507b9d05ab677ba907b65764ac998053935c1ddd8059c61e61c4df", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42e42003fd507b9d05ab677ba907b65764ac998053935c1ddd8059c61e61c4df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 463}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_ORG_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_ORG_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133564, "scanner": "repobility-supply-chain", "fingerprint": "d737709066d2c74ec386cc4032591896f9d2c4e77066d85cb487e28ca656db06", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d737709066d2c74ec386cc4032591896f9d2c4e77066d85cb487e28ca656db06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 462}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AUTH0_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AUTH0_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133563, "scanner": "repobility-supply-chain", "fingerprint": "1b8da623b7c95a7082bbf75cf9415034e250fd0f768849f41e17c98d7ad647f0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b8da623b7c95a7082bbf75cf9415034e250fd0f768849f41e17c98d7ad647f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 427}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AUTH0_DOMAIN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AUTH0_DOMAIN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133562, "scanner": "repobility-supply-chain", "fingerprint": "201d06766c6da8652d5310afadd662d88ebfc52b497bd230dc3dc035e838200b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|201d06766c6da8652d5310afadd662d88ebfc52b497bd230dc3dc035e838200b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 426}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_ORG_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_ORG_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133561, "scanner": "repobility-supply-chain", "fingerprint": "089d3a72e22587d4e230c4eaec79aae74dccf74225e298cc673f6f2a31f2533c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|089d3a72e22587d4e230c4eaec79aae74dccf74225e298cc673f6f2a31f2533c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 425}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AUTH0_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AUTH0_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133560, "scanner": "repobility-supply-chain", "fingerprint": "656237115008393c9c5fd3d76dd9f80efb9ef6e73d4672819f85e6389a72215c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|656237115008393c9c5fd3d76dd9f80efb9ef6e73d4672819f85e6389a72215c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 399}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AUTH0_DOMAIN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AUTH0_DOMAIN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133559, "scanner": "repobility-supply-chain", "fingerprint": "159e04bdbc174828e9cdb3fc31ad0f3e6e36535a83da860c438214ad492818a8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|159e04bdbc174828e9cdb3fc31ad0f3e6e36535a83da860c438214ad492818a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 398}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_ORG_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_ORG_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133558, "scanner": "repobility-supply-chain", "fingerprint": "d34f7feabb377af862306c127b6a8a6fa0f49fefcad21150028ebe66cee48ddf", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d34f7feabb377af862306c127b6a8a6fa0f49fefcad21150028ebe66cee48ddf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 397}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_ORG_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_ORG_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133557, "scanner": "repobility-supply-chain", "fingerprint": "49528d245a77c4d9f5020cd301e34b2e072be4ce77a441073dc8eb37d15c6a5d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49528d245a77c4d9f5020cd301e34b2e072be4ce77a441073dc8eb37d15c6a5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_ORG_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_ORG_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133556, "scanner": "repobility-supply-chain", "fingerprint": "29fc0ad724d77c8de635504417ca2cd67be611c3e4a0fa799695d14d0b7f3e53", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29fc0ad724d77c8de635504417ca2cd67be611c3e4a0fa799695d14d0b7f3e53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_ORG_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_ORG_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133555, "scanner": "repobility-supply-chain", "fingerprint": "736ea3eccb1108661ac49ff1952d6c5c023dbb95b9cf34fe3565a2a2b6ee25d3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|736ea3eccb1108661ac49ff1952d6c5c023dbb95b9cf34fe3565a2a2b6ee25d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 340}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_ORG_TOKEN_DEV` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_ORG_TOKEN_DEV }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133554, "scanner": "repobility-supply-chain", "fingerprint": "1adc78a4773a7faa48fcf7ecd15e17fe8fc2e6c4aa298a4d9e70bde73ce92c3e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1adc78a4773a7faa48fcf7ecd15e17fe8fc2e6c4aa298a4d9e70bde73ce92c3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 338}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_PASSWORD_PUBLIC_READONLY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_PASSWORD_PUBLIC_READONLY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133553, "scanner": "repobility-supply-chain", "fingerprint": "4e03f65a37beb29e74b7bf3f68bf2bc35e5361e6f49f2d29aef89372bc8d6326", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e03f65a37beb29e74b7bf3f68bf2bc35e5361e6f49f2d29aef89372bc8d6326"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 284}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_USERNAME_PUBLIC_READONLY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_USERNAME_PUBLIC_READONLY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133552, "scanner": "repobility-supply-chain", "fingerprint": "f6ef61068dc3059e0b299c8e0cbd190e938ed64bb976615fa827b529366bf0a7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6ef61068dc3059e0b299c8e0cbd190e938ed64bb976615fa827b529366bf0a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 283}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_USERNAME_PUBLIC_READONLY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_USERNAME_PUBLIC_READONLY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133551, "scanner": "repobility-supply-chain", "fingerprint": "ff52c13ce7704959bea878f97234ba8ec430bd2eca8e00fb57f99358e4e34205", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff52c13ce7704959bea878f97234ba8ec430bd2eca8e00fb57f99358e4e34205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 281}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133550, "scanner": "repobility-supply-chain", "fingerprint": "4abba177d0b7cf91b50899be402b9a9aee0bbbf2a4e6ef993da0a40d9d00d2ed", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4abba177d0b7cf91b50899be402b9a9aee0bbbf2a4e6ef993da0a40d9d00d2ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133549, "scanner": "repobility-supply-chain", "fingerprint": "3d5f6baef01a147b5ee2a749d2b29c85037171c77a9f19f64b49cce33dbbbf2d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d5f6baef01a147b5ee2a749d2b29c85037171c77a9f19f64b49cce33dbbbf2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-dynamic-snippets.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SEED_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SEED_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133548, "scanner": "repobility-supply-chain", "fingerprint": "ff0b71ec654869f4e06d5831c6d7f84f788fff4be4a566506e668d14955f3862", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff0b71ec654869f4e06d5831c6d7f84f788fff4be4a566506e668d14955f3862"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-ete-tests.yml"}, "region": {"startLine": 283}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133547, "scanner": "repobility-supply-chain", "fingerprint": "d3813d6082e66091c16da544917886e2274de97063b9dfc3fc9b78cf1fb28f4b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3813d6082e66091c16da544917886e2274de97063b9dfc3fc9b78cf1fb28f4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-ete-tests.yml"}, "region": {"startLine": 282}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SEED_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SEED_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133546, "scanner": "repobility-supply-chain", "fingerprint": "894ef71df5ebeee5b8c9c2603e0f709923a146e6a461a40b49eec4103b48be51", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|894ef71df5ebeee5b8c9c2603e0f709923a146e6a461a40b49eec4103b48be51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-ete-tests.yml"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133545, "scanner": "repobility-supply-chain", "fingerprint": "5d176260fa7d21c1bac7c959f000ae27f4425b384f1e4ab6b090dbde311aaa5d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d176260fa7d21c1bac7c959f000ae27f4425b384f1e4ab6b090dbde311aaa5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-ete-tests.yml"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.FERN_API_DOCKERHUB_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.FERN_API_DOCKERHUB_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133544, "scanner": "repobility-supply-chain", "fingerprint": "7753fbc1e6effd6b6bf0b199830bbdcadbd609765569cabceb08c84ac8e9b98f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7753fbc1e6effd6b6bf0b199830bbdcadbd609765569cabceb08c84ac8e9b98f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-ete-tests.yml"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133543, "scanner": "repobility-supply-chain", "fingerprint": "ee6079c6ffb7fd39f3f6126be030d8981bceef929064f039a18e5974e19ebd85", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee6079c6ffb7fd39f3f6126be030d8981bceef929064f039a18e5974e19ebd85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-ete-tests.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 133542, "scanner": "repobility-supply-chain", "fingerprint": "edf94a4ec6c8dbb1d9a4d23b9144ae65bd640d7cc28ddf4d7238f5ba8b9aece4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edf94a4ec6c8dbb1d9a4d23b9144ae65bd640d7cc28ddf4d7238f5ba8b9aece4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/validate-changelog.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 133340, "scanner": "repobility-threat-engine", "fingerprint": "9c64f8b53d11fd540b74c2979c9349621730551fb092c26a08ee6874fd0051a0", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c64f8b53d11fd540b74c2979c9349621730551fb092c26a08ee6874fd0051a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/python/src/fern_python/snippet/template_utils.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 133304, "scanner": "repobility-threat-engine", "fingerprint": "0463a1a9f425c7f392473160e23fada7b3c4641b79fafe8e93a6ecc87df368f2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(field", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0463a1a9f425c7f392473160e23fada7b3c4641b79fafe8e93a6ecc87df368f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/internal/fern/ir/variables.go"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 133303, "scanner": "repobility-threat-engine", "fingerprint": "a6730175db7c8489d21673a68b3f9bb9e6cff277f0cd6f0948a5d510ef567c1c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(field", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6730175db7c8489d21673a68b3f9bb9e6cff277f0cd6f0948a5d510ef567c1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/internal/fern/ir/dynamic/snippets.go"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 133302, "scanner": "repobility-threat-engine", "fingerprint": "11b51e68a7f822abdd9b497538ae69bdeed06549f4afd1c29fa7998d2d80509f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(field", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|11b51e68a7f822abdd9b497538ae69bdeed06549f4afd1c29fa7998d2d80509f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "generators/go/internal/fern/ir/constants.go"}, "region": {"startLine": 38}}}]}]}]}