{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `neon_wsproxy` image uses the latest tag", "shortDescription": {"text": "Compose service `neon_wsproxy` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 15 more): Same pattern found in 15 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 56 more): Same pattern found in 56 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 56 more): Same pattern found in 56 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 24 more): Same pattern found in 24 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 20 more): Same pattern found in 20 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.25, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@", "shortDescription": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/chan"}, "fullDescription": {"text": "Replace with: `uses: peter-evans/create-pull-request@<40-char-sha>  # v8` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:./node_modules/.prisma/client` bypasses ", "shortDescription": {"text": "[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:./node_modules/.prisma/client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromise"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:20.19` not pinned by digest: `FROM node:20.19` resolves the tag at build time. The regi", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:20.19` not pinned by digest: `FROM node:20.19` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should p"}, "fullDescription": {"text": "Replace with: `FROM node:20.19@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED032", "name": "[MINED032] Ts Nocheck Comment: // @ts-nocheck silences all type checking for entire file.", "shortDescription": {"text": "[MINED032] Ts Nocheck Comment: // @ts-nocheck silences all type checking for entire file."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CODSPEED_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`,", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CODSPEED_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODSPEED_TOKEN }` lets a PR from any fork exfiltrate the secr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED024", "name": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.", "shortDescription": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/198"}, "properties": {"repository": "prisma/prisma", "repoUrl": "https://github.com/prisma/prisma", "branch": "main"}, "results": [{"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 50522, "scanner": "repobility-threat-engine", "fingerprint": "83afbdb4eecfda3e5d7397a62b444300cd8cbce3d7fa46f2abe6e6c28be753c0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|83afbdb4eecfda3e5d7397a62b444300cd8cbce3d7fa46f2abe6e6c28be753c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/type-benchmark-tests/basic/basic.bench.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 50515, "scanner": "repobility-threat-engine", "fingerprint": "b3599006b58bea786234ab04342b1d556a87779660a4ad15366ff6408bbad878", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"<your-api-key>\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b3599006b58bea786234ab04342b1d556a87779660a4ad15366ff6408bbad878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/postgres/link/Link.ts"}, "region": {"startLine": 155}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 50514, "scanner": "repobility-threat-engine", "fingerprint": "c7a89f5db17be6060518d51e1e52aee62ef96ccb47764045248fd0b03381e552", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"<your-api-key>\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c7a89f5db17be6060518d51e1e52aee62ef96ccb47764045248fd0b03381e552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/postgres/PostgresCommand.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 50506, "scanner": "repobility-threat-engine", "fingerprint": "55baf75241b8bb0198ee2a8dfc0845210de45194a63603358c7c01efbfa0b1f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n      return null\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55baf75241b8bb0198ee2a8dfc0845210de45194a63603358c7c01efbfa0b1f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/fetch-engine/src/utils.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 50505, "scanner": "repobility-threat-engine", "fingerprint": "39aee7c8311037822510e152f5520d374c831bcf160ae83a6da8b3dff75d872b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n      return null\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|39aee7c8311037822510e152f5520d374c831bcf160ae83a6da8b3dff75d872b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/runtime/utils/SourceFileSlice.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 50504, "scanner": "repobility-threat-engine", "fingerprint": "55e002bf5d75435a1d296b8e665336b51efd8c731f8c5c308c2dc146f03c55af", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n    return null\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55e002bf5d75435a1d296b8e665336b51efd8c731f8c5c308c2dc146f03c55af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/Generate.ts"}, "region": {"startLine": 363}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50494, "scanner": "repobility-threat-engine", "fingerprint": "282456259dec3420696a538e2cd4e359d5c72d9d6900c77866f13ec1f05222a5", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|172|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-d1/src/d1-worker.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50493, "scanner": "repobility-threat-engine", "fingerprint": "d2e785169ddc41990e25bdf0e0c3a2e66be5ebc935347fdd068a17d8338c4835", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|186|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-better-sqlite3/src/better-sqlite3.ts"}, "region": {"startLine": 186}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 50492, "scanner": "repobility-threat-engine", "fingerprint": "ff54133fe2e62c033c515780dde6d393f7c4eb0716fb7be039a02eb243267f09", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|31|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/compile/plugins/replaceWithPlugin.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 6097, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6095, "scanner": "repobility-docker", "fingerprint": "2bc41108201631209359b4615cd39fa8706961491c79f9f7ffe58426642e3f95", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|2bc41108201631209359b4615cd39fa8706961491c79f9f7ffe58426642e3f95", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/typed-sql/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6093, "scanner": "repobility-docker", "fingerprint": "1ee62ae419137e6a0c028c0b4d6e9416231b41da96a1531b47484d27cb41fc28", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres-ssl", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|1ee62ae419137e6a0c028c0b4d6e9416231b41da96a1531b47484d27cb41fc28", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-self-signed-cert-error/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6090, "scanner": "repobility-docker", "fingerprint": "2eefdc7d06440f0b440f3be907c3c6229236df508791989e000104ecec6bf6dc", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|2eefdc7d06440f0b440f3be907c3c6229236df508791989e000104ecec6bf6dc", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-global-type-parsers/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6087, "scanner": "repobility-docker", "fingerprint": "5619585862b44a53880222d063747d00b45ca24c3843e0cdcd131b378979e25e", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|5619585862b44a53880222d063747d00b45ca24c3843e0cdcd131b378979e25e", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6085, "scanner": "repobility-docker", "fingerprint": "1c56906c8e9fb59d02bfd8c4ed28e976c3b09e4106033e12997b032ca0b6afa9", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|1c56906c8e9fb59d02bfd8c4ed28e976c3b09e4106033e12997b032ca0b6afa9", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6083, "scanner": "repobility-docker", "fingerprint": "4aa0470736b3719049226d523ec2d903495217168474d5915fadc9b25e7a7b89", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|4aa0470736b3719049226d523ec2d903495217168474d5915fadc9b25e7a7b89", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-pg/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6080, "scanner": "repobility-docker", "fingerprint": "317eaa54495c22ddf813920c4fe625ba15e8398ff62d0ea5566707d4c22a3c76", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|317eaa54495c22ddf813920c4fe625ba15e8398ff62d0ea5566707d4c22a3c76", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 6079, "scanner": "repobility-docker", "fingerprint": "ad4640147d2bff6ab873c102a96453cbe298bab680659857b3c415e3efc93c95", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "neon_wsproxy", "dependency": "postgres", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ad4640147d2bff6ab873c102a96453cbe298bab680659857b3c415e3efc93c95", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `neon_wsproxy` image uses the latest tag"}, "properties": {"repobilityId": 6076, "scanner": "repobility-docker", "fingerprint": "11f5d4e17801674c098aba07df8ee485bacbd955395e5a1c4951b6bcc70aebfd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/neondatabase/wsproxy:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|11f5d4e17801674c098aba07df8ee485bacbd955395e5a1c4951b6bcc70aebfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6074, "scanner": "repobility-docker", "fingerprint": "00c7fe41d2800e2885d50dc538cddd8ab75fcd160c77516b03a4225ad4d5acbc", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|00c7fe41d2800e2885d50dc538cddd8ab75fcd160c77516b03a4225ad4d5acbc", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/connection-limit-reached/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC016", "level": "warning", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 6071, "scanner": "repobility-docker", "fingerprint": "54ddb6b244e08a335a216b31af5458aab4040e14de9b48a84d9ec7091fd0d47a", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dependency database has a healthcheck but the app does not use condition: service_healthy.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "planetscale_proxy", "dependency": "vitess-8", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|54ddb6b244e08a335a216b31af5458aab4040e14de9b48a84d9ec7091fd0d47a", "dependency_has_healthcheck": true}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `neon_wsproxy` image uses the latest tag"}, "properties": {"repobilityId": 6066, "scanner": "repobility-docker", "fingerprint": "aa9c67b06bd13b3d61638026038629157b59e462270ae504dd482738d6dab6b4", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/neondatabase/wsproxy:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|aa9c67b06bd13b3d61638026038629157b59e462270ae504dd482738d6dab6b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6063, "scanner": "repobility-docker", "fingerprint": "bee03bbb0d4dbacde5506f9e1a5bc9df61201c3874d3b75677cf679bc6800e5a", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|bee03bbb0d4dbacde5506f9e1a5bc9df61201c3874d3b75677cf679bc6800e5a", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6035, "scanner": "repobility-docker", "fingerprint": "ac5755c49a67b53ee9abdb629e0281e21184f30fcdabcbb90f97a1b6e1dc6234", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|ac5755c49a67b53ee9abdb629e0281e21184f30fcdabcbb90f97a1b6e1dc6234", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 6032, "scanner": "repobility-docker", "fingerprint": "f924ed407164d13cc8a28b11791d5ad73015013a719eb6e175a62e2e72695f87", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:${POSTGRES_VERSION}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f924ed407164d13cc8a28b11791d5ad73015013a719eb6e175a62e2e72695f87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/postgres_ext/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 6029, "scanner": "repobility-docker", "fingerprint": "7d7cb26e0fe5a863a9736f656c8ca5c34b243ff7ca89d9f289832377bd6f9eb5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7d7cb26e0fe5a863a9736f656c8ca5c34b243ff7ca89d9f289832377bd6f9eb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/planetscale_proxy/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 6028, "scanner": "repobility-docker", "fingerprint": "0c1fb20794cd1722e391f3a8b906f9663e3c4bf7b3fd437f46c2ca78a13938dd", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "alpine:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0c1fb20794cd1722e391f3a8b906f9663e3c4bf7b3fd437f46c2ca78a13938dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/planetscale_proxy/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 6026, "scanner": "repobility-docker", "fingerprint": "3c8b8d5301e2772fcbd19ac548b8b758f533ee92db82bde172741fd4d0dac832", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mongo:${MONGO_VERSION}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3c8b8d5301e2772fcbd19ac548b8b758f533ee92db82bde172741fd4d0dac832"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/mongodb_replica/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 6024, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "packages/client/src/__tests__/integration/happy/sqlite-variable-limit/dev.db", "size_mb": 25.9}, {"path": "packages/client/src/__tests__/integration/happy/multi-connect/dev.db", "size_mb": 0.1}, {"path": "packages/client/src/__tests__/integration/happy/disconnect-while-query/dev.db", "size_mb": 0.1}, {"path": "packages/client/src/__tests__/integration/happy/disconnect-race/dev.db", "size_mb": 0.1}, {"path": "packages/client/src/__tests__/integration/happy/disconnect-finally/dev.db", "size_mb": 0.1}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6018, "scanner": "repobility-threat-engine", "fingerprint": "2732ede38f2707560a758a3e2b349787dbc495186b71dbdf9285e6a177e8089a", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2732ede38f2707560a758a3e2b349787dbc495186b71dbdf9285e6a177e8089a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils/printUpdateMessage.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 6017, "scanner": "repobility-threat-engine", "fingerprint": "ec99b22033ed3b504ab0e2d747a29348dd57ee6921e3bc771cbc4ff9c4354ef3", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (e) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ec99b22033ed3b504ab0e2d747a29348dd57ee6921e3bc771cbc4ff9c4354ef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ci/publish.ts"}, "region": {"startLine": 868}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 6015, "scanner": "repobility-agent-runtime", "fingerprint": "8cfc97f5986b319517ee8ce4cc7c51b57f26c298a2f433bcd688b1a8f56cd12b", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|8cfc97f5986b319517ee8ce4cc7c51b57f26c298a2f433bcd688b1a8f56cd12b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "CONTRIBUTING.md"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50540, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36c5439de1a1596b695e824cc3d3d3af4c2d8b43cb83d221783112536ea4d0b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client-generator-js/src/TSClient/PrismaClient.ts", "duplicate_line": 159, "correlation_key": "fp|36c5439de1a1596b695e824cc3d3d3af4c2d8b43cb83d221783112536ea4d0b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-generator-ts/src/TSClient/PrismaClient.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50539, "scanner": "repobility-ai-code-hygiene", "fingerprint": "62c348794c664464faf0be40de96c350122e45adef78434ff0b8cceed173a6ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client-generator-js/src/TSClient/Payload.ts", "duplicate_line": 2, "correlation_key": "fp|62c348794c664464faf0be40de96c350122e45adef78434ff0b8cceed173a6ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-generator-ts/src/TSClient/Payload.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50538, "scanner": "repobility-ai-code-hygiene", "fingerprint": "140de402605638880f6bd97da6678ae9ebaa4829e4e13d2a4f877a60b45a58af", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client-generator-js/src/TSClient/Output.ts", "duplicate_line": 16, "correlation_key": "fp|140de402605638880f6bd97da6678ae9ebaa4829e4e13d2a4f877a60b45a58af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-generator-ts/src/TSClient/Output.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50537, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d531eb139880e9f2e875a07c1dce049a919dc88a32bf887416c6e331083fa8f6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client-generator-js/src/TSClient/Model.ts", "duplicate_line": 16, "correlation_key": "fp|d531eb139880e9f2e875a07c1dce049a919dc88a32bf887416c6e331083fa8f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-generator-ts/src/TSClient/Model.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50536, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07785db1c24a279aa6f32ccdf5d737623d07be30e0962d710a69115ba5f0db71", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client-generator-js/src/TSClient/Input.ts", "duplicate_line": 12, "correlation_key": "fp|07785db1c24a279aa6f32ccdf5d737623d07be30e0962d710a69115ba5f0db71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-generator-ts/src/TSClient/Input.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50535, "scanner": "repobility-ai-code-hygiene", "fingerprint": "27463dccd427360d88b030fef61609d1306e9006110c7576be16bce08ca5b1ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client-generator-js/src/TSClient/Count.ts", "duplicate_line": 12, "correlation_key": "fp|27463dccd427360d88b030fef61609d1306e9006110c7576be16bce08ca5b1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-generator-ts/src/TSClient/Count.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50534, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3773daac0148a5e116172ce6b3ddbd2e03ea49d1e0bb598f933320978e2ae881", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client-generator-js/src/TSClient/Args.ts", "duplicate_line": 10, "correlation_key": "fp|3773daac0148a5e116172ce6b3ddbd2e03ea49d1e0bb598f933320978e2ae881"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-generator-ts/src/TSClient/Args.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50533, "scanner": "repobility-ai-code-hygiene", "fingerprint": "46e6a3ea9add063a6e215e0bde5d6c317a349dbd407fbebd8876619426d6dc72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client-generator-js/src/GenericsArgsInfo.ts", "duplicate_line": 1, "correlation_key": "fp|46e6a3ea9add063a6e215e0bde5d6c317a349dbd407fbebd8876619426d6dc72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-generator-ts/src/GenericsArgsInfo.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50532, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6d00dd0dc073e33204250a03479dd531ee1456ef7efc58585fcb59544d92bf4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/client-engine-runtime/bench/mock-data.ts", "duplicate_line": 41, "correlation_key": "fp|6d00dd0dc073e33204250a03479dd531ee1456ef7efc58585fcb59544d92bf4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-engine-runtime/bench/sample-query-plans.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50531, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff3c485998f52d7bd31e970e548db56faa81b606c7e56fba0ac4436a17fa209a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/cli/src/Format.ts", "duplicate_line": 48, "correlation_key": "fp|ff3c485998f52d7bd31e970e548db56faa81b606c7e56fba0ac4436a17fa209a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/Validate.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50530, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38fa959eb1d49bf5b421fe9096d94725e3524c8cc83c7ca614a44f86a41dd3aa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/bundle-size/da-workers-libsql-web/index.js", "duplicate_line": 2, "correlation_key": "fp|38fa959eb1d49bf5b421fe9096d94725e3524c8cc83c7ca614a44f86a41dd3aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/bundle-size/da-workers-libsql/index.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50529, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3187f60f5465a6d2e97a8cce1c9b6a50b45bda3b759325b1da2b7f78d2d80cec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-neon/src/errors.ts", "duplicate_line": 3, "correlation_key": "fp|3187f60f5465a6d2e97a8cce1c9b6a50b45bda3b759325b1da2b7f78d2d80cec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-ppg/src/errors.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50528, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a59df6d66b34d0334278690090decd87bab040b0e369ad1db379dded8d263ad9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-neon/src/conversion.ts", "duplicate_line": 6, "correlation_key": "fp|a59df6d66b34d0334278690090decd87bab040b0e369ad1db379dded8d263ad9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-ppg/src/conversion.ts"}, "region": {"startLine": 121}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50527, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1af6e6b0b5db8f12a258ab3a9925e2cc979dce68cf2f373f2e1a331734e9dc5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-mariadb/src/mariadb.ts", "duplicate_line": 1, "correlation_key": "fp|1af6e6b0b5db8f12a258ab3a9925e2cc979dce68cf2f373f2e1a331734e9dc5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-planetscale/src/planetscale.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50526, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ece35c579887791f992d5ba5a42d1580e73b0aa990a66617a797593ddaffae7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-mariadb/src/errors.ts", "duplicate_line": 95, "correlation_key": "fp|0ece35c579887791f992d5ba5a42d1580e73b0aa990a66617a797593ddaffae7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-planetscale/src/errors.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50525, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9a9f90a0ac18117692a929b955d32adc9cb03c0f542b3cdf3a9694b6ef3c612d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-mariadb/src/conversion.ts", "duplicate_line": 155, "correlation_key": "fp|9a9f90a0ac18117692a929b955d32adc9cb03c0f542b3cdf3a9694b6ef3c612d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-planetscale/src/conversion.ts"}, "region": {"startLine": 129}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50524, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df6ca0bc32e345945053e9df031a53e91578fbe6d022dd807dbebf0c9bc41b9f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-neon/src/conversion.ts", "duplicate_line": 331, "correlation_key": "fp|df6ca0bc32e345945053e9df031a53e91578fbe6d022dd807dbebf0c9bc41b9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-planetscale/src/conversion.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 50523, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48b7aef84f670a8c01a0285691568672c993566f0ea1d34bd88fed0e27bcf4d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-neon/src/neon.ts", "duplicate_line": 24, "correlation_key": "fp|48b7aef84f670a8c01a0285691568672c993566f0ea1d34bd88fed0e27bcf4d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-pg/src/pg.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC022", "level": "note", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 50461, "scanner": "repobility-threat-engine", "fingerprint": "1a29ee95ecbee7adae8c42d887243d0b8b3e160aef5409f37eb81b0aeefedbac", "category": "credential_exposure", "severity": "low", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value contains development/placeholder marker", "evidence": {"match": "postgres://prisma:prisma@", "reason": "Value contains development/placeholder marker", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "secret|. token|2|postgres://prisma:prisma"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scripts/setup-postgres.sh"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6094, "scanner": "repobility-docker", "fingerprint": "9960c4c73e5f0b4bd997267869ccda97906a80584f93487c1a2dcda75bd32588", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "postgres-ssl", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9960c4c73e5f0b4bd997267869ccda97906a80584f93487c1a2dcda75bd32588"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-self-signed-cert-error/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6092, "scanner": "repobility-docker", "fingerprint": "9fed76c67bc28905d2c071597f3fb2beb1e83a28d735c39e46d4fa7a9241c215", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres-ssl", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9fed76c67bc28905d2c071597f3fb2beb1e83a28d735c39e46d4fa7a9241c215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-self-signed-cert-error/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6078, "scanner": "repobility-docker", "fingerprint": "db582c6e575a0687bc93af3971f74c56fa1371e612d3734600baccd55511fa18", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "neon_wsproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|db582c6e575a0687bc93af3971f74c56fa1371e612d3734600baccd55511fa18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6077, "scanner": "repobility-docker", "fingerprint": "277bb01c61f5a5fcc0192d67dce4dfa049860a30cf85136f50bffd0309f2a324", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "neon_wsproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|277bb01c61f5a5fcc0192d67dce4dfa049860a30cf85136f50bffd0309f2a324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6073, "scanner": "repobility-docker", "fingerprint": "033a2df6fa660858e9f7f914e292e823b32ab18510a6ca02d4fef3133df08732", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "test-e2e", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|033a2df6fa660858e9f7f914e292e823b32ab18510a6ca02d4fef3133df08732"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/_utils/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6072, "scanner": "repobility-docker", "fingerprint": "cee3b31dc4f47b34b9a863ee861966d3f9f13a90d1f61dedb2f97bb53370e29f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "test-e2e", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cee3b31dc4f47b34b9a863ee861966d3f9f13a90d1f61dedb2f97bb53370e29f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/_utils/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6070, "scanner": "repobility-docker", "fingerprint": "7ae51e372583156a330048b319b518f7f82a4095a4a49fd4be057452fc5d6772", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "planetscale_proxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7ae51e372583156a330048b319b518f7f82a4095a4a49fd4be057452fc5d6772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6069, "scanner": "repobility-docker", "fingerprint": "548fa0783089531698996e4b132d52bf8340a9e2d9020f281f306efc7b371907", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "planetscale_proxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|548fa0783089531698996e4b132d52bf8340a9e2d9020f281f306efc7b371907"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6068, "scanner": "repobility-docker", "fingerprint": "9b9f22c655f1693a3291f2fdacc5dfce6a01bab0d0e6125c949324e687e41987", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "neon_wsproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9b9f22c655f1693a3291f2fdacc5dfce6a01bab0d0e6125c949324e687e41987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6067, "scanner": "repobility-docker", "fingerprint": "3f8e00747679d8acc3632e15e456b140a05c471ea294844f527374e551717377", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "neon_wsproxy", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3f8e00747679d8acc3632e15e456b140a05c471ea294844f527374e551717377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6065, "scanner": "repobility-docker", "fingerprint": "21a5391786aed5afc393d3195d8df5f465a3b53f28fd2fc24f9a78fbbc1bfb5e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mongo6", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|21a5391786aed5afc393d3195d8df5f465a3b53f28fd2fc24f9a78fbbc1bfb5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 206}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6064, "scanner": "repobility-docker", "fingerprint": "e0b5ee14b3537e42e626ad2b5c31caf756cb20b9c8bcfc6324f5014cac5d7d24", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mongo6", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e0b5ee14b3537e42e626ad2b5c31caf756cb20b9c8bcfc6324f5014cac5d7d24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 206}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6062, "scanner": "repobility-docker", "fingerprint": "3586583f344c27fe59ad02180e1e20ad43d5c9ffecc70e2179a3466e0af1cbf1", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mongo", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3586583f344c27fe59ad02180e1e20ad43d5c9ffecc70e2179a3466e0af1cbf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6057, "scanner": "repobility-docker", "fingerprint": "96efbad73dea22c292fe987bef49cfb0b5df9652a0811260e81dfac226e1f3bd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mssql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|96efbad73dea22c292fe987bef49cfb0b5df9652a0811260e81dfac226e1f3bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6055, "scanner": "repobility-docker", "fingerprint": "379de6b7dd33f961e14df774e6c0859695d923380d64a5d0ae3c7a0129bc0c5f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mssql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|379de6b7dd33f961e14df774e6c0859695d923380d64a5d0ae3c7a0129bc0c5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6043, "scanner": "repobility-docker", "fingerprint": "3f6063a729895d44c66c44208973121599fecc627f2d115f6e70333214be1431", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cockroachdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3f6063a729895d44c66c44208973121599fecc627f2d115f6e70333214be1431"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6042, "scanner": "repobility-docker", "fingerprint": "811468e8d7d9a6f0d6acf4c99f054e5c4ffcced67f45bf38fe3aa4b8431d7620", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "cockroachdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|811468e8d7d9a6f0d6acf4c99f054e5c4ffcced67f45bf38fe3aa4b8431d7620"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 6038, "scanner": "repobility-docker", "fingerprint": "2d080414528d7d03d1c6b7e66957f6b018b56426a8c151e2e4a7f5061881bc10", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "postgres-16", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2d080414528d7d03d1c6b7e66957f6b018b56426a8c151e2e4a7f5061881bc10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6036, "scanner": "repobility-docker", "fingerprint": "a6e6c4d0d8e1af9ba5c9911459700287ee433b41669702d1424b62a2f25f5c00", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres-16", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a6e6c4d0d8e1af9ba5c9911459700287ee433b41669702d1424b62a2f25f5c00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 6033, "scanner": "repobility-docker", "fingerprint": "42e15a91b1457d5e22d81928f1edf49fb9db088ac2e9426264b607f7ba670cc0", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgres", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|42e15a91b1457d5e22d81928f1edf49fb9db088ac2e9426264b607f7ba670cc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 6031, "scanner": "repobility-docker", "fingerprint": "21666f6fdc2bd706ac43c8e0fa64a093f86dde24d9393dbcee15fc9c25be15f6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|21666f6fdc2bd706ac43c8e0fa64a093f86dde24d9393dbcee15fc9c25be15f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/postgres_ext/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 6027, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6014, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6899d05ae34d3cb46529505d86831446fb51dd9582de8209c64816fe965b3d74", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-neon/src/errors.ts", "duplicate_line": 4, "correlation_key": "fp|6899d05ae34d3cb46529505d86831446fb51dd9582de8209c64816fe965b3d74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-pg/src/errors.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6013, "scanner": "repobility-ai-code-hygiene", "fingerprint": "879d7fecc23ffcf534a854d583efb116ed482e572f50cdd3943de524c35a8e2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-mariadb/src/conversion.ts", "duplicate_line": 155, "correlation_key": "fp|879d7fecc23ffcf534a854d583efb116ed482e572f50cdd3943de524c35a8e2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-pg/src/conversion.ts"}, "region": {"startLine": 341}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6012, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c68609182220cebcab00754b105062d80b929736e2f627509bb61bdff534bc5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-neon/src/conversion.ts", "duplicate_line": 5, "correlation_key": "fp|6c68609182220cebcab00754b105062d80b929736e2f627509bb61bdff534bc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-pg/src/conversion.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6011, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f956fa79f50f2ca79e90529b64eded5d56391df01cf8342bf39eec24b0a6273", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-mariadb/src/conversion.ts", "duplicate_line": 155, "correlation_key": "fp|9f956fa79f50f2ca79e90529b64eded5d56391df01cf8342bf39eec24b0a6273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-neon/src/conversion.ts"}, "region": {"startLine": 333}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6010, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ff695b9356d210a84f3f2c81e3ead45909624bccc266228878c7f1b6511bf0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-d1/src/d1-worker.ts", "duplicate_line": 2, "correlation_key": "fp|3ff695b9356d210a84f3f2c81e3ead45909624bccc266228878c7f1b6511bf0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-mssql/src/mssql.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6009, "scanner": "repobility-ai-code-hygiene", "fingerprint": "82deb5d2cd40c3931e821683f0465345179768d4d24ec170ae118eebb9e03632", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-mariadb/src/conversion.ts", "duplicate_line": 117, "correlation_key": "fp|82deb5d2cd40c3931e821683f0465345179768d4d24ec170ae118eebb9e03632"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-mssql/src/conversion.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6008, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8fc3efd0ecf151ef61b79ec90eed39b414159300fc79670b557defd20e829fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-better-sqlite3/src/better-sqlite3.ts", "duplicate_line": 1, "correlation_key": "fp|c8fc3efd0ecf151ef61b79ec90eed39b414159300fc79670b557defd20e829fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-libsql/src/libsql.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6007, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ee290750a9b6860a59130acb081b6b97cb6a380a74b3c67512eac723247b405", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-better-sqlite3/src/errors.ts", "duplicate_line": 49, "correlation_key": "fp|8ee290750a9b6860a59130acb081b6b97cb6a380a74b3c67512eac723247b405"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-libsql/src/errors.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6006, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d487e3a3a30e36b6e636e1c4bcb4ab46d6cc609954dfa89e7f8435174781820c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-d1/src/conversion.ts", "duplicate_line": 69, "correlation_key": "fp|d487e3a3a30e36b6e636e1c4bcb4ab46d6cc609954dfa89e7f8435174781820c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-libsql/src/conversion.ts"}, "region": {"startLine": 119}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6005, "scanner": "repobility-ai-code-hygiene", "fingerprint": "44daed7cc45d47717e6c3590a648d0348b16401fbfeca4a4b5d8328a57c47235", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-better-sqlite3/src/conversion.ts", "duplicate_line": 13, "correlation_key": "fp|44daed7cc45d47717e6c3590a648d0348b16401fbfeca4a4b5d8328a57c47235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-libsql/src/conversion.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6004, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b08f0d2c3b675d4211d168ce3e3347867816e142a0f59a6a8822bdd200846ba", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-d1/src/d1-http.ts", "duplicate_line": 147, "correlation_key": "fp|6b08f0d2c3b675d4211d168ce3e3347867816e142a0f59a6a8822bdd200846ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-d1/src/d1-worker.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 6003, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3cbe485d531adcae6521872dc7a60d526ee828c68ffc51c52a467d1e1202058", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-better-sqlite3/src/conversion.ts", "duplicate_line": 112, "correlation_key": "fp|e3cbe485d531adcae6521872dc7a60d526ee828c68ffc51c52a467d1e1202058"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-d1/src/conversion.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 6002, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": ["AGENTS.md", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AGENTS.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 50520, "scanner": "repobility-threat-engine", "fingerprint": "bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bc622422aece995c7e07e0c16de081f3178587059cc7d4258a61a173910ef549"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50513, "scanner": "repobility-threat-engine", "fingerprint": "cfa550607f4349f15f30bb0f90082ed742dae26a4e109a8c55e2b68318c66dd8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cfa550607f4349f15f30bb0f90082ed742dae26a4e109a8c55e2b68318c66dd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/fetch-engine/src/getProxyAgent.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50512, "scanner": "repobility-threat-engine", "fingerprint": "1ea792e91b34bc66d407292f6e13e23f451a3925e5390223009c256dd2094f30", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1ea792e91b34bc66d407292f6e13e23f451a3925e5390223009c256dd2094f30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/studio-server.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 50511, "scanner": "repobility-threat-engine", "fingerprint": "b44dd28897ecb54f960353ef88627e40e813f03f400aefa83ce6167534dfeeec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b44dd28897ecb54f960353ef88627e40e813f03f400aefa83ce6167534dfeeec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/management-api/auth.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 50507, "scanner": "repobility-threat-engine", "fingerprint": "8e478e56b730255b619eaaf214c2ac68864bd09b58591d59c20fe11bd4508abd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8e478e56b730255b619eaaf214c2ac68864bd09b58591d59c20fe11bd4508abd"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 50503, "scanner": "repobility-threat-engine", "fingerprint": "55dd9a4fe1ed00e875ab40ad2e079768353c2831badd419600f381c596cc9071", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|55dd9a4fe1ed00e875ab40ad2e079768353c2831badd419600f381c596cc9071"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 50499, "scanner": "repobility-threat-engine", "fingerprint": "b25ca6c2b6e8056e9e2c805b4ff75b5230249c907e2c0475c7bb8fc214cf24b0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b25ca6c2b6e8056e9e2c805b4ff75b5230249c907e2c0475c7bb8fc214cf24b0"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 50495, "scanner": "repobility-threat-engine", "fingerprint": "d14be0fefa073ce5d7f9e06ddc2458b70958a5bc036469eafe870ed8d062de60", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d14be0fefa073ce5d7f9e06ddc2458b70958a5bc036469eafe870ed8d062de60"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 50491, "scanner": "repobility-threat-engine", "fingerprint": "b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b33b9fa30193bee8937fded79de0a89e3cbc0227353c6d1fa8988e662e74e331"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 50490, "scanner": "repobility-threat-engine", "fingerprint": "9ca735d16d517996fb88b4e2d8b168ce7a738dccdb72d7a78feeef7459b9036e", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|328|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-pg/src/pg.ts"}, "region": {"startLine": 328}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 50489, "scanner": "repobility-threat-engine", "fingerprint": "7dd3ccc6dc27a285b6f3fe858df7fd98168f174a9615c98f99c596bf75764b9e", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|338|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-d1/src/d1-http.ts"}, "region": {"startLine": 338}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 50488, "scanner": "repobility-threat-engine", "fingerprint": "b932c54a5db9d510513d26ac68d0f66cf48eb01b9b9f5d5d19dfd4f1033d7788", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|4|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/compile/plugins/fill-plugin/fillers/crypto.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 50487, "scanner": "repobility-threat-engine", "fingerprint": "e5bc9bf5f42d9f2194ea7d1c2041149f1dd167602643d8715ae0a1e0f31c2c9d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e5bc9bf5f42d9f2194ea7d1c2041149f1dd167602643d8715ae0a1e0f31c2c9d"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 50483, "scanner": "repobility-threat-engine", "fingerprint": "608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|608d8d675ae0526fc953a53caf5c68a07518f95ee27080c50acec2df294a2cc4", "aggregated_count": 13}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50482, "scanner": "repobility-threat-engine", "fingerprint": "8b09b9e63319593be217d1e2c0991cbf61a657345ce78ea89c7046f6d2cec662", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8b09b9e63319593be217d1e2c0991cbf61a657345ce78ea89c7046f6d2cec662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-engine-runtime/src/interpreter/in-memory-processing.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50481, "scanner": "repobility-threat-engine", "fingerprint": "685305b832cd847761d378749b6a0812609d1d30acf1cfdbf0ccd9efe528e3cc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|685305b832cd847761d378749b6a0812609d1d30acf1cfdbf0ccd9efe528e3cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-planetscale/src/planetscale.ts"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 50480, "scanner": "repobility-threat-engine", "fingerprint": "b23a2d653d579c6b319d2d7dc0dbcd168b0923e3275bac0a354b7b8a2a4cdc4a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b23a2d653d579c6b319d2d7dc0dbcd168b0923e3275bac0a354b7b8a2a4cdc4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/blaze/omit.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 56 more): Same pattern found in 56 additional files. Review if needed."}, "properties": {"repobilityId": 50479, "scanner": "repobility-threat-engine", "fingerprint": "dedd8154a20516242afc6883df085eda5a540c341e838b56e49cbd100a8adb18", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 56 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dedd8154a20516242afc6883df085eda5a540c341e838b56e49cbd100a8adb18", "aggregated_count": 56}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 50478, "scanner": "repobility-threat-engine", "fingerprint": "b51fdd4e9e114b889c1ed455b5d0c6bf5886831fabbd4f478ad2c256e1f273c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b51fdd4e9e114b889c1ed455b5d0c6bf5886831fabbd4f478ad2c256e1f273c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/blaze/pick.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 50477, "scanner": "repobility-threat-engine", "fingerprint": "70cfca09d6dad4ee0d138ab24783b992b165726fc0208d527137e38349dbf4c1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|70cfca09d6dad4ee0d138ab24783b992b165726fc0208d527137e38349dbf4c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/blaze/omit.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 50476, "scanner": "repobility-threat-engine", "fingerprint": "9e92f26190c62e8d2cf88be3e55aaa2b53ffd1e0ea619977eefa84311ff77b4d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e92f26190c62e8d2cf88be3e55aaa2b53ffd1e0ea619977eefa84311ff77b4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/blaze/map.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 50475, "scanner": "repobility-threat-engine", "fingerprint": "2813c1e44a10ea5308a9b2a28c41c15a7b2343ee883e54a3536123f14fb26db0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2813c1e44a10ea5308a9b2a28c41c15a7b2343ee883e54a3536123f14fb26db0", "aggregated_count": 24}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50474, "scanner": "repobility-threat-engine", "fingerprint": "a68cd0bf6025c1348a03c7674f59e89c1b9d64f02271e52614f8cf264c8956de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a68cd0bf6025c1348a03c7674f59e89c1b9d64f02271e52614f8cf264c8956de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/blaze/get.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50473, "scanner": "repobility-threat-engine", "fingerprint": "5815d403268a5c03542492fa6ad0b02ab635b6ea1ecd4fb180f9fde0f8c875ba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5815d403268a5c03542492fa6ad0b02ab635b6ea1ecd4fb180f9fde0f8c875ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/blaze/flatten.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 50472, "scanner": "repobility-threat-engine", "fingerprint": "fe13a87b0b344fb0ed3647a35ec02877eec85ffc6de0dc4156db9c72e70c24ab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe13a87b0b344fb0ed3647a35ec02877eec85ffc6de0dc4156db9c72e70c24ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/blaze/concat.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 50471, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 50467, "scanner": "repobility-threat-engine", "fingerprint": "c1ac4f7bfd3cb5749074172447bbd649d3b8d62a711943e2d06a444e028cdfdd", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c1ac4f7bfd3cb5749074172447bbd649d3b8d62a711943e2d06a444e028cdfdd"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 64 more): Same pattern found in 64 additional files. Review if needed."}, "properties": {"repobilityId": 50460, "scanner": "repobility-threat-engine", "fingerprint": "0053b5d9f4dc69b09e568e885f9d0906d2e490f422b43d51e27ae29bec667001", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 64 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0053b5d9f4dc69b09e568e885f9d0906d2e490f422b43d51e27ae29bec667001", "aggregated_count": 64}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50459, "scanner": "repobility-threat-engine", "fingerprint": "254bf19917e3f6c7821303e5a8fd3552c78fcb7883131ee3399f27c313d4f80f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|254bf19917e3f6c7821303e5a8fd3552c78fcb7883131ee3399f27c313d4f80f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/compile/build.ts"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50458, "scanner": "repobility-threat-engine", "fingerprint": "b9db23d3caf46bf6526110eb931003e55f547b934c4798ccca71c5e72b0c47eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b9db23d3caf46bf6526110eb931003e55f547b934c4798ccca71c5e72b0c47eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scripts/detect-jobs-to-run.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 50457, "scanner": "repobility-threat-engine", "fingerprint": "c84a3008ee37e45f90495760d63aa15f352e6a0f7bba97b6cfb473dc2a2bb68a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c84a3008ee37e45f90495760d63aa15f352e6a0f7bba97b6cfb473dc2a2bb68a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scripts/auto-close-github-discussions.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 50456, "scanner": "repobility-threat-engine", "fingerprint": "f7295390d7146196157611bb4d5879e0c3a9ee5a3546720b311aaf06b82bc0be", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error('`prisma.config.ts` not found')", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|packages/migrate/src/bin.ts|8|console.error prisma.config.ts not found"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/migrate/src/bin.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 50455, "scanner": "repobility-threat-engine", "fingerprint": "65a6ab8c34fcddc6b44bf36c0fd0ce530b2334b0be752f11ac38c6d65ab3bd72", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error('GITHUB_TOKEN not set')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|1|console.error github_token not set"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scripts/auto-close-github-discussions.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 6030, "scanner": "repobility-docker", "fingerprint": "cad3feb620e3fc246179331d95fb09271a6fdd06ab5be4a1d2fee9ac9fe1981c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "postgres:${POSTGRES_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|cad3feb620e3fc246179331d95fb09271a6fdd06ab5be4a1d2fee9ac9fe1981c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/postgres_ext/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 6025, "scanner": "repobility-docker", "fingerprint": "49f50f60db43d67667e06ad794856512d1112a7a9db25228681d94cd611f5f3a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mongo:${MONGO_VERSION}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|49f50f60db43d67667e06ad794856512d1112a7a9db25228681d94cd611f5f3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/mongodb_replica/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6020, "scanner": "repobility-threat-engine", "fingerprint": "a63683ca596c5c041af38390555a9feea4e6dd0576b92fba892447afeb65d950", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|294|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/runtime/getPrismaClient.ts"}, "region": {"startLine": 294}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 6019, "scanner": "repobility-threat-engine", "fingerprint": "d1c83e5e33271b3728b0f4148548ca6e177edf788ddabb39b66cc04d9fedd24b", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|222|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/compile/plugins/fill-plugin/fillPlugin.ts"}, "region": {"startLine": 222}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 6016, "scanner": "repobility-threat-engine", "fingerprint": "a4d82a627fb736d0e214e5206592d2d1e18392bbb317abe54b7e16f31fe90b58", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(`Setting --release to RELEASE_VERSION = ${process.env.RELEASE_VERSION}`)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|scripts/ci/publish.ts|48|console.log setting --release to release_version process.env.release_version"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/ci/publish.ts"}, "region": {"startLine": 484}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50574, "scanner": "repobility-supply-chain", "fingerprint": "80645750101bd2958a53132f94e0f52db3a1276e9908bd56899b3cada12d7fcf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80645750101bd2958a53132f94e0f52db3a1276e9908bd56899b3cada12d7fcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `juliangruber/approve-pull-request-action` pinned to mutable ref `@v2`: `uses: juliangruber/approve-pull-request-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50573, "scanner": "repobility-supply-chain", "fingerprint": "67ff1c54a16db776f8b924d61eaf929af7668014576c5709b7233f13149de568", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67ff1c54a16db776f8b924d61eaf929af7668014576c5709b7233f13149de568"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v8`: `uses: peter-evans/create-pull-request@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50572, "scanner": "repobility-supply-chain", "fingerprint": "e0af2bc606be14b3b8618743d601936ca8322ac0d02224869133df5cd4873584", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0af2bc606be14b3b8618743d601936ca8322ac0d02224869133df5cd4873584"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50571, "scanner": "repobility-supply-chain", "fingerprint": "73dd6679829345360049f22da81aab3da770dfcc59c0892d3b147ecf4ef7cbeb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73dd6679829345360049f22da81aab3da770dfcc59c0892d3b147ecf4ef7cbeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50570, "scanner": "repobility-supply-chain", "fingerprint": "375791313fa2e4910173a48bd4a556cf237658954b50411ad9e2fb021c8f0118", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|375791313fa2e4910173a48bd4a556cf237658954b50411ad9e2fb021c8f0118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50569, "scanner": "repobility-supply-chain", "fingerprint": "acd2d00ee0606f4100cd8254f76ffa88c7ee929e7b1b11aef39030dd6d175946", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|acd2d00ee0606f4100cd8254f76ffa88c7ee929e7b1b11aef39030dd6d175946"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50568, "scanner": "repobility-supply-chain", "fingerprint": "977a937ab17abbda3e8312d8ea8ba8dbbb341a0227973c40965e954d822e9ce1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|977a937ab17abbda3e8312d8ea8ba8dbbb341a0227973c40965e954d822e9ce1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `nick-fields/retry` pinned to mutable ref `@v3`: `uses: nick-fields/retry@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50567, "scanner": "repobility-supply-chain", "fingerprint": "4018c3e3f6f9cc0acf73e2d48d88052b13b53e94dfdd8d8235ed210d92f13328", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4018c3e3f6f9cc0acf73e2d48d88052b13b53e94dfdd8d8235ed210d92f13328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50566, "scanner": "repobility-supply-chain", "fingerprint": "290a05d26dfb50813b4e79c4cd9214147c42211cb6ff0954f89eac4db197e2f2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|290a05d26dfb50813b4e79c4cd9214147c42211cb6ff0954f89eac4db197e2f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4.0.0`: `uses: pnpm/action-setup@v4.0.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50565, "scanner": "repobility-supply-chain", "fingerprint": "ec96e216bf95f9ef15fe98d9a96cbcb10c60aabc175a7299d5c89775cde102c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec96e216bf95f9ef15fe98d9a96cbcb10c60aabc175a7299d5c89775cde102c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50564, "scanner": "repobility-supply-chain", "fingerprint": "bd7d872f0a1e2a4c832a9c8244e59a0c0857b1f281aeb835d43e10ca56714de0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd7d872f0a1e2a4c832a9c8244e59a0c0857b1f281aeb835d43e10ca56714de0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-engines-version.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50563, "scanner": "repobility-supply-chain", "fingerprint": "4a79d35acb0c14a86a5d8ca1aad88da04dbc3e0828dc86d82e1a81fcb57ccf78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4a79d35acb0c14a86a5d8ca1aad88da04dbc3e0828dc86d82e1a81fcb57ccf78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-close-github-discussions.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50562, "scanner": "repobility-supply-chain", "fingerprint": "359a8683267eb6752c24fc8a911fa769d1e8d71acb62cf075bb421ac25dde293", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|359a8683267eb6752c24fc8a911fa769d1e8d71acb62cf075bb421ac25dde293"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-close-github-discussions.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50561, "scanner": "repobility-supply-chain", "fingerprint": "4f2bfd42ff9b02d1c700ce784a7961a80488328ade1a18915aaac3252fdd9d47", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f2bfd42ff9b02d1c700ce784a7961a80488328ade1a18915aaac3252fdd9d47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-close-github-discussions.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v3`: `uses: github/codeql-action/analyze@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50560, "scanner": "repobility-supply-chain", "fingerprint": "30e6b996ef2f3ce12dc4d27ee1f5c99c1d8fb25c7e6aec19c0f45232d4b5ebb6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|30e6b996ef2f3ce12dc4d27ee1f5c99c1d8fb25c7e6aec19c0f45232d4b5ebb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v3`: `uses: github/codeql-action/init@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50559, "scanner": "repobility-supply-chain", "fingerprint": "ebeaa20591159d64164168d3f12a5b4f8efef570ec9a2ad3eec31279d6519d1b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ebeaa20591159d64164168d3f12a5b4f8efef570ec9a2ad3eec31279d6519d1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50558, "scanner": "repobility-supply-chain", "fingerprint": "b1cfceb24afccf080df840ab5a0ae7c1237f43113b4e9448c32d53ec255ef68b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1cfceb24afccf080df840ab5a0ae7c1237f43113b4e9448c32d53ec255ef68b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-or-update-comment` pinned to mutable ref `@v5`: `uses: peter-evans/create-or-update-comment@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50556, "scanner": "repobility-supply-chain", "fingerprint": "a6fa139309f04040489611c36dadab5cacb84b3b89e640824253941ae3220dce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6fa139309f04040489611c36dadab5cacb84b3b89e640824253941ae3220dce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-or-update-comment` pinned to mutable ref `@v5`: `uses: peter-evans/create-or-update-comment@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50555, "scanner": "repobility-supply-chain", "fingerprint": "7ca3bef608c720f2e8ea9640e4b8cc4037cb92492c3aa8cdfd45100f06d8dc66", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ca3bef608c720f2e8ea9640e4b8cc4037cb92492c3aa8cdfd45100f06d8dc66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/find-comment` pinned to mutable ref `@v4`: `uses: peter-evans/find-comment@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50554, "scanner": "repobility-supply-chain", "fingerprint": "e07f0a2eeaf509c4ae1d8e119c01ac4ed4c065a5b900a8ec520761c056f5c681", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e07f0a2eeaf509c4ae1d8e119c01ac4ed4c065a5b900a8ec520761c056f5c681"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `benc-uk/workflow-dispatch` pinned to mutable ref `@v1`: `uses: benc-uk/workflow-dispatch@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50553, "scanner": "repobility-supply-chain", "fingerprint": "da0b2dc4424a6c9a01d98e453c2619ce4dfca7d59a19cdbec16c6925c9792f6b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da0b2dc4424a6c9a01d98e453c2619ce4dfca7d59a19cdbec16c6925c9792f6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/find-comment` pinned to mutable ref `@v4`: `uses: peter-evans/find-comment@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50552, "scanner": "repobility-supply-chain", "fingerprint": "2a552b8342702b8cbf0a29f901d998b0d3af54be7394f496462d95262f3727e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a552b8342702b8cbf0a29f901d998b0d3af54be7394f496462d95262f3727e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50551, "scanner": "repobility-supply-chain", "fingerprint": "40d1c21b6e257f34f985824b86aad365d748a2ec9c3574429f8a237e1f02a80d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|40d1c21b6e257f34f985824b86aad365d748a2ec9c3574429f8a237e1f02a80d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `andresz1/size-limit-action` pinned to mutable ref `@v1`: `uses: andresz1/size-limit-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50550, "scanner": "repobility-supply-chain", "fingerprint": "0dde6e9f7a66c009808bf00a3e0a8e24e632fa0df34cf40719f12814d1eac1b3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0dde6e9f7a66c009808bf00a3e0a8e24e632fa0df34cf40719f12814d1eac1b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-size.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 50549, "scanner": "repobility-supply-chain", "fingerprint": "650c5b27ca44ceaa33f0e2e7edb15bf00a6bf7c3d91ee8d9f6795d5f883bcf4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|650c5b27ca44ceaa33f0e2e7edb15bf00a6bf7c3d91ee8d9f6795d5f883bcf4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-size.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:./node_modules/.prisma/client` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 50548, "scanner": "repobility-supply-chain", "fingerprint": "5a073a87b0c980b986b43818a940734b83fd6e7367a1ffbb61dc6c209e9953ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a073a87b0c980b986b43818a940734b83fd6e7367a1ffbb61dc6c209e9953ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sandbox/d1/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:custom` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 50547, "scanner": "repobility-supply-chain", "fingerprint": "d03168ea95b07cfd343d7efe42bb072be04e7215e4e48a5ff140976ea9473254", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d03168ea95b07cfd343d7efe42bb072be04e7215e4e48a5ff140976ea9473254"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/prisma-client-imports-mysql/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20.19` not pinned by digest: `FROM node:20.19` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 50546, "scanner": "repobility-supply-chain", "fingerprint": "99f5a5e13879bbff9b78ee3770413be845e0999602132587e6114b106990161f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99f5a5e13879bbff9b78ee3770413be845e0999602132587e6114b106990161f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/_utils/standard.dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:custom` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 50545, "scanner": "repobility-supply-chain", "fingerprint": "f5d4e0391e02fb2a6446ef83016cd676d9099a5960bf07d66b4898a1bd24267f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5d4e0391e02fb2a6446ef83016cd676d9099a5960bf07d66b4898a1bd24267f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/prisma-client-imports-postgres/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `db` pulled from URL/Git: `dependencies.db` = `link:custom` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 50544, "scanner": "repobility-supply-chain", "fingerprint": "86fedb2e8d6c36fb0f010787f3c801827f582c058c08b4f31699fe806a6ecc40", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86fedb2e8d6c36fb0f010787f3c801827f582c058c08b4f31699fe806a6ecc40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/prisma-client-imports-sqlite/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `prisma` pulled from URL/Git: `devDependencies.prisma` = `file:/tmp/prisma-0.0.0.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 50543, "scanner": "repobility-supply-chain", "fingerprint": "ab205f3be317ebeef5904697147eccadf7ee5da684499a55c9a4059d7db44262", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab205f3be317ebeef5904697147eccadf7ee5da684499a55c9a4059d7db44262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/prisma-init-bun/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 50542, "scanner": "repobility-supply-chain", "fingerprint": "f29f284474551def206d1e28c807d8c19cd2afb19ab7d4d40e23efc6a02f66f8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f29f284474551def206d1e28c807d8c19cd2afb19ab7d4d40e23efc6a02f66f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/planetscale_proxy/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ghcr.io/mattrobenolt/ps-http-sim:v0.0.11` not pinned by digest: `FROM ghcr.io/mattrobenolt/ps-http-sim:v0.0.11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 50541, "scanner": "repobility-supply-chain", "fingerprint": "a2c74fecaa13bab6746c411c07968261602cd6a5aed906b5b3e59892e6f7494c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a2c74fecaa13bab6746c411c07968261602cd6a5aed906b5b3e59892e6f7494c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/planetscale_proxy/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED032", "level": "error", "message": {"text": "[MINED032] Ts Nocheck Comment: // @ts-nocheck silences all type checking for entire file."}, "properties": {"repobilityId": 50521, "scanner": "repobility-threat-engine", "fingerprint": "d85acd6f0408768d825274233339ad560dfb880013757e798346a07788d92a58", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-nocheck-comment", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347973+00:00", "triaged_in_corpus": 15, "observations_count": 6120, "ai_coder_pattern_id": 100}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d85acd6f0408768d825274233339ad560dfb880013757e798346a07788d92a58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client-generator-ts/src/utils/addPreamble.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 50519, "scanner": "repobility-threat-engine", "fingerprint": "c0bda1d53d228bfc64018773aef4dfd1ace2a0eab9f3a9905d4f383f68819844", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c0bda1d53d228bfc64018773aef4dfd1ace2a0eab9f3a9905d4f383f68819844"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/get-platform/src/test-utils/jestSnapshotSerializer.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 50518, "scanner": "repobility-threat-engine", "fingerprint": "376af33cd028650b9610ea783bc08c5909a2f4420be6b341a5eec637427b7dd3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|376af33cd028650b9610ea783bc08c5909a2f4420be6b341a5eec637427b7dd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/runtime/utils/createErrorMessageWithContext.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 50517, "scanner": "repobility-threat-engine", "fingerprint": "f2c6ecbf799d2dc979a264f08ea08b5aa583c529d464e9600a79d194de0fbc48", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(val", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2c6ecbf799d2dc979a264f08ea08b5aa583c529d464e9600a79d194de0fbc48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils/prompt/utils/deepExtend.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 50516, "scanner": "repobility-threat-engine", "fingerprint": "14d0510085bd5843ea1c0c8aaa35c5d0d73fdafbe0ce23ef4fa487360e28edf7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|14d0510085bd5843ea1c0c8aaa35c5d0d73fdafbe0ce23ef4fa487360e28edf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/studio-server.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50502, "scanner": "repobility-threat-engine", "fingerprint": "1fb2e1c7e22888a3b2f0a2980854e93cefe7ad744929079fa54593fad73c8d63", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(j", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1fb2e1c7e22888a3b2f0a2980854e93cefe7ad744929079fa54593fad73c8d63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/SubCommand.ts"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50501, "scanner": "repobility-threat-engine", "fingerprint": "e0d83feaf3fd656f4ec5d1b8f36c61f679648cefa867fcafa7486ea90dc9094b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e0d83feaf3fd656f4ec5d1b8f36c61f679648cefa867fcafa7486ea90dc9094b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-planetscale/src/planetscale.ts"}, "region": {"startLine": 205}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 50500, "scanner": "repobility-threat-engine", "fingerprint": "8494eb613c13ab0cc95991c6db5227368cb60f979914f5b18b34f15c463a1024", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8494eb613c13ab0cc95991c6db5227368cb60f979914f5b18b34f15c463a1024"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-mariadb/src/mariadb.ts"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50498, "scanner": "repobility-threat-engine", "fingerprint": "ce283403439051ab80df0ede7766a7f003d66e90ecd1b8c79bae7b9089f7dc2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(script", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce283403439051ab80df0ede7766a7f003d66e90ecd1b8c79bae7b9089f7dc2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-d1/src/d1-worker.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50497, "scanner": "repobility-threat-engine", "fingerprint": "019698f410ab108eb198aeffaf5b5c709fa2362522991edb3f1d7bbb4986dc51", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(script", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|019698f410ab108eb198aeffaf5b5c709fa2362522991edb3f1d7bbb4986dc51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-better-sqlite3/src/better-sqlite3.ts"}, "region": {"startLine": 186}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 50496, "scanner": "repobility-threat-engine", "fingerprint": "cee7493d9c76352a2d4cd22f3e533720ca219aa97ab84296d26d1d4897051bb5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(args", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cee7493d9c76352a2d4cd22f3e533720ca219aa97ab84296d26d1d4897051bb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/compile/plugins/replaceWithPlugin.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50470, "scanner": "repobility-threat-engine", "fingerprint": "add8207899e414bc08ddd71096e67ea8147955239fad2b15388e08206c9ecc79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hash.update(data)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|add8207899e414bc08ddd71096e67ea8147955239fad2b15388e08206c9ecc79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/fetch-engine/src/getHash.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50469, "scanner": "repobility-threat-engine", "fingerprint": "dfa71ce44c577d12c250a1d674fda8605711dd3207a3caf172c53db5ad79b333", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "nodeResponse.destroy()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dfa71ce44c577d12c250a1d674fda8605711dd3207a3caf172c53db5ad79b333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/studio-server.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 50468, "scanner": "repobility-threat-engine", "fingerprint": "2e54aa2033b8756d94c2f24539713f1c76266dfa49f7bf7fdc9db3052a7ec555", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "expectedExports.delete('./index')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e54aa2033b8756d94c2f24539713f1c76266dfa49f7bf7fdc9db3052a7ec555"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eslint-local-rules/valid-exported-types-index.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50466, "scanner": "repobility-threat-engine", "fingerprint": "053fa514f0d2fe9a9d7635508a35d5b7ae70ad80aa768a4c15783f75d2231e71", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([name, desc]) => `    ${name.padEnd(maxNameLen)}   ${desc}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|053fa514f0d2fe9a9d7635508a35d5b7ae70ad80aa768a4c15783f75d2231e71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/platform/_lib/help.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50465, "scanner": "repobility-threat-engine", "fingerprint": "0868ddc75f9f902b8323b6d611deb97c7d0b81a5fbcbde529ca5d62b6bb8d1d8", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([major, minor]) => `${major}.${minor}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0868ddc75f9f902b8323b6d611deb97c7d0b81a5fbcbde529ca5d62b6bb8d1d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/scripts/preinstall.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 50464, "scanner": "repobility-threat-engine", "fingerprint": "7eaed8161779d52ce17f9a0f338d37f2cf51c92d1b2678e6cde73f4114a1003c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((fileName) => `./${fileName.replace(/\\.ts$/, '')}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7eaed8161779d52ce17f9a0f338d37f2cf51c92d1b2678e6cde73f4114a1003c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "eslint-local-rules/valid-exported-types-index.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6096, "scanner": "repobility-docker", "fingerprint": "01923f0f93b4d82ec298c8a027abd6f5a3c98f5a5df586d5ad13de36af2ef92f", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|01923f0f93b4d82ec298c8a027abd6f5a3c98f5a5df586d5ad13de36af2ef92f", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/typed-sql/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6091, "scanner": "repobility-docker", "fingerprint": "1c374d08cf94888297972f473029648df8a738125ff4af54851aaa9f055da32a", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|1c374d08cf94888297972f473029648df8a738125ff4af54851aaa9f055da32a", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/pg-global-type-parsers/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6089, "scanner": "repobility-docker", "fingerprint": "0aa5e8cd75e29a730f4cc481d781e8432b51d47bdba99eac622fdc53bc3424eb", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|0aa5e8cd75e29a730f4cc481d781e8432b51d47bdba99eac622fdc53bc3424eb", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/mongodb-notablescan/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6088, "scanner": "repobility-docker", "fingerprint": "401592d686ecf4e6e810ec484ceea04e2854fe6d8df10ef4a262eb3bbbea3779", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|401592d686ecf4e6e810ec484ceea04e2854fe6d8df10ef4a262eb3bbbea3779", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6086, "scanner": "repobility-docker", "fingerprint": "97e0e98a9e717aeb121d28d6c328205fc30d3936321f95bc7656d800b22293b8", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|97e0e98a9e717aeb121d28d6c328205fc30d3936321f95bc7656d800b22293b8", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/issues/28221-multiple-provider-clients/docker-compose.yaml"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6084, "scanner": "repobility-docker", "fingerprint": "1b2958b7e921365a23d32fffc081cf4d98dc0ae669ddf85366ae38d98e9c9286", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|1b2958b7e921365a23d32fffc081cf4d98dc0ae669ddf85366ae38d98e9c9286", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-pg/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6082, "scanner": "repobility-docker", "fingerprint": "67e3344b3fc10c7e47cd8e2d236a99d224afd52e77d4c7f89143848c6d435682", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|67e3344b3fc10c7e47cd8e2d236a99d224afd52e77d4c7f89143848c6d435682", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 6081, "scanner": "repobility-docker", "fingerprint": "7dc28ec5047a27fd0aca11c3c1289ced478aaace030ca7807287b27867923721", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "15432:5432", "target": "5432", "host_ip": "", "published": "15432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|7dc28ec5047a27fd0aca11c3c1289ced478aaace030ca7807287b27867923721"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/driver-adapters-custom-db-schema/adapter-neon/docker-compose.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6075, "scanner": "repobility-docker", "fingerprint": "63f43ae5b81def47ad1a4c62967e8c03be706172a2cf2f61dda8a20b5de4feb6", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|63f43ae5b81def47ad1a4c62967e8c03be706172a2cf2f61dda8a20b5de4feb6", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/tests/e2e/connection-limit-reached/docker-compose.yaml"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6061, "scanner": "repobility-docker", "fingerprint": "7da8101747333b0d54277c8efb74812ee54420c967fd1bf80dcbc984773da121", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongodb_migrate", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7da8101747333b0d54277c8efb74812ee54420c967fd1bf80dcbc984773da121", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 163}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 6060, "scanner": "repobility-docker", "fingerprint": "776eff259051ff8839e339cc7592eaac8b50596efbc9e64dff73c5beaabb63af", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongodb_migrate", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|776eff259051ff8839e339cc7592eaac8b50596efbc9e64dff73c5beaabb63af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 163}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6059, "scanner": "repobility-docker", "fingerprint": "b053d2473097c605e21c1ba583fde99a015c0f1f25f701b57da6ba4c3c8901e0", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mssql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|b053d2473097c605e21c1ba583fde99a015c0f1f25f701b57da6ba4c3c8901e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 6058, "scanner": "repobility-docker", "fingerprint": "96910ff76472f1fc320107c8bb16f52d1e04c1883d3f768b673de5565af8bf0f", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "1433:1433", "target": "1433", "host_ip": "", "published": "1433"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mssql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|96910ff76472f1fc320107c8bb16f52d1e04c1883d3f768b673de5565af8bf0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6054, "scanner": "repobility-docker", "fingerprint": "4e1142e4a113326bbbf8cf5dab4157ac34aa866d498a3660494439ed4bb12b94", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|4e1142e4a113326bbbf8cf5dab4157ac34aa866d498a3660494439ed4bb12b94", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 6053, "scanner": "repobility-docker", "fingerprint": "bb942bcd4e9a0331b0786c3054510182f41a9b58252f89c650ab56ce5ae57868", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "4306:3306", "target": "3306", "host_ip": "", "published": "4306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|bb942bcd4e9a0331b0786c3054510182f41a9b58252f89c650ab56ce5ae57868"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6051, "scanner": "repobility-docker", "fingerprint": "42c679f47079cc84ab7a8ceb5bf8a43b586dabdceb527d0c4e74d151dfd05b6d", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql_isolated", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|42c679f47079cc84ab7a8ceb5bf8a43b586dabdceb527d0c4e74d151dfd05b6d", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 6050, "scanner": "repobility-docker", "fingerprint": "d3cb2a267d8fcf67a3ede43ee3df8207b72316e198ab5ebf5991396778bf8540", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3307:3306", "target": "3306", "host_ip": "", "published": "3307"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql_isolated", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|d3cb2a267d8fcf67a3ede43ee3df8207b72316e198ab5ebf5991396778bf8540"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6048, "scanner": "repobility-docker", "fingerprint": "7059740def7ea715d5ea9dd4fb3f52c14940bcc9c63ce0f2267f92232a151996", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7059740def7ea715d5ea9dd4fb3f52c14940bcc9c63ce0f2267f92232a151996", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 6047, "scanner": "repobility-docker", "fingerprint": "997991f434bbd1c1cacd02aecf905b35665fa63c6570ad44baf26b8dee91982a", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|997991f434bbd1c1cacd02aecf905b35665fa63c6570ad44baf26b8dee91982a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6045, "scanner": "repobility-docker", "fingerprint": "78b1368a77d515848158ace82a7a4d296fc33fe7527b0c454cd2fcfbf5d8e457", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "vitess-8", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|78b1368a77d515848158ace82a7a4d296fc33fe7527b0c454cd2fcfbf5d8e457", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 6044, "scanner": "repobility-docker", "fingerprint": "558526f135875f603fb2b9dac0c239069a731a3912d2cdc670139bd3b8a18733", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "33807:33807", "target": "33807", "host_ip": "", "published": "33807"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "vitess-8", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|558526f135875f603fb2b9dac0c239069a731a3912d2cdc670139bd3b8a18733"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 6041, "scanner": "repobility-docker", "fingerprint": "15e9344f963f187e1329b8942a12e64ae5a69288c78ef71bd1d33e794c0cfa0b", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres_isolated", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|15e9344f963f187e1329b8942a12e64ae5a69288c78ef71bd1d33e794c0cfa0b", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 6040, "scanner": "repobility-docker", "fingerprint": "38146b5a7157773bad770f27baf468e21efc3d380abf96467131a8fa771145a2", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5435:5432", "target": "5432", "host_ip": "", "published": "5435"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres_isolated", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|38146b5a7157773bad770f27baf468e21efc3d380abf96467131a8fa771145a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 6021, "scanner": "repobility-threat-engine", "fingerprint": "0d53c5c6fd4870b8e2a973116c36297a933dca42ef09c5f37d9ed2404995e3a3", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "OPEN(?:DATASOURCE|QUERY", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|22|sec013", "duplicate_count": 1, "duplicate_rule_ids": ["SEC013"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["0d53c5c6fd4870b8e2a973116c36297a933dca42ef09c5f37d9ed2404995e3a3", "3cd132c8adcbd5e0dd58943e7eadad9305cad33145eacab9aef85a6d2c706824"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/client/src/runtime/highlight/languages/sql.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODSPEED_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODSPEED_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50575, "scanner": "repobility-supply-chain", "fingerprint": "a6ef9b74a0e8ebd0460bb46a620d4ebf056df0c3178eafbaeed92dcbdfcab7db", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6ef9b74a0e8ebd0460bb46a620d4ebf056df0c3178eafbaeed92dcbdfcab7db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BOT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BOT_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 50557, "scanner": "repobility-supply-chain", "fingerprint": "31c1715211d50533e11861ec34b326fe4b6670858cf1c4d2def9545e55c2b51c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31c1715211d50533e11861ec34b326fe4b6670858cf1c4d2def9545e55c2b51c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 50510, "scanner": "repobility-threat-engine", "fingerprint": "2e984683f6e8fdf8e52e3e26c7cc76531559e41c30d06a33f79d58dac06d11a9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e984683f6e8fdf8e52e3e26c7cc76531559e41c30d06a33f79d58dac06d11a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/internals/src/get-generators/utils/getBinaryPathsByVersion.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 50509, "scanner": "repobility-threat-engine", "fingerprint": "59495b6bcb2ee86a86fca9655b0d9790c07f2e4604883a2350b56433891b2e46", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59495b6bcb2ee86a86fca9655b0d9790c07f2e4604883a2350b56433891b2e46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/bin.ts"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED024", "level": "error", "message": {"text": "[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk."}, "properties": {"repobilityId": 50508, "scanner": "repobility-threat-engine", "fingerprint": "8cd00a6c732aa660d545d27b06aa451b9fd6988ac395763cda799ec14957d0ec", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-eval-usage", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347954+00:00", "triaged_in_corpus": 20, "observations_count": 35589, "ai_coder_pattern_id": 103}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8cd00a6c732aa660d545d27b06aa451b9fd6988ac395763cda799ec14957d0ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/Generate.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 50486, "scanner": "repobility-threat-engine", "fingerprint": "ef903edef85490ab2ddd9d712a28181cdb0162139b881c94a3a4ee7dbd8b1c2e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef903edef85490ab2ddd9d712a28181cdb0162139b881c94a3a4ee7dbd8b1c2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/utils/test-handlePanic.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 50485, "scanner": "repobility-threat-engine", "fingerprint": "914171b01d94f3ca80242cd9bf661627bb587779a7ae2463bfbdaedcfc864bdb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(indexPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|914171b01d94f3ca80242cd9bf661627bb587779a7ae2463bfbdaedcfc864bdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/Generate.ts"}, "region": {"startLine": 359}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 50484, "scanner": "repobility-threat-engine", "fingerprint": "315280e19a7baad4bcab51c58e38951ccd550df0325768288b2d80578aaac7eb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(extendsPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|315280e19a7baad4bcab51c58e38951ccd550df0325768288b2d80578aaac7eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "helpers/compile/plugins/resolvePathsPlugin.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 50463, "scanner": "repobility-threat-engine", "fingerprint": "be064af23f3858d33553da396125ae754769f3afc5a5c0564fa41a5bf1a227ec", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be064af23f3858d33553da396125ae754769f3afc5a5c0564fa41a5bf1a227ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/scripts/setup-postgres.sh"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 50462, "scanner": "repobility-threat-engine", "fingerprint": "02acb3d267911bbe8be144808fa7f946383c4e8a074dee939c2580f50b67f822", "category": "credential_exposure", "severity": "critical", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: migration script (typical placeholder values)]", "evidence": {"match": "postgresql://login:password@", "reason": "Pattern matched with no mitigating context found | [R34 auto-suppress: migration script (typical placeholder values)]", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "secret|token|5|postgresql://login:password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/migrate/src/commands/MigrateCommand.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6056, "scanner": "repobility-docker", "fingerprint": "9dff2688e4f5bbb6d8316c3484a18bfb5fe740c6117e114259efcc0a89e023de", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mssql", "variable": "SA_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|9dff2688e4f5bbb6d8316c3484a18bfb5fe740c6117e114259efcc0a89e023de", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6052, "scanner": "repobility-docker", "fingerprint": "a2da8d2e1ae8d5c0a464deb2d40b4f330ed3ba7ef498dae17f409961e8f9ad91", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mariadb", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|a2da8d2e1ae8d5c0a464deb2d40b4f330ed3ba7ef498dae17f409961e8f9ad91", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6049, "scanner": "repobility-docker", "fingerprint": "6072438cdd0ac4caebac53760ac8f919b3dd9d5c1b72cb61720b0bb49a150c2e", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql_isolated", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|6072438cdd0ac4caebac53760ac8f919b3dd9d5c1b72cb61720b0bb49a150c2e", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6046, "scanner": "repobility-docker", "fingerprint": "659c53ebc75ce48e525e56a6b6c5d67d825eacc3d51a30d1a2791b405b7c5de2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|659c53ebc75ce48e525e56a6b6c5d67d825eacc3d51a30d1a2791b405b7c5de2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6039, "scanner": "repobility-docker", "fingerprint": "a7dd43a87b2e54be8e0fdaae9dd4f986ae56899604df0d9b426ea965033a6b63", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres_isolated", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|a7dd43a87b2e54be8e0fdaae9dd4f986ae56899604df0d9b426ea965033a6b63", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6037, "scanner": "repobility-docker", "fingerprint": "85f80619671c33cbe4e3b0847b65a6244e8d68add39e00e322bcfc311a1d228d", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres-16", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|85f80619671c33cbe4e3b0847b65a6244e8d68add39e00e322bcfc311a1d228d", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 6034, "scanner": "repobility-docker", "fingerprint": "f89d6c0c8046ed05d12906aba77c1890e6845fcf792e8e4580311d726534246a", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|f89d6c0c8046ed05d12906aba77c1890e6845fcf792e8e4580311d726534246a", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 6023, "scanner": "repobility-threat-engine", "fingerprint": "802e72dbc4555164c94630505f862fcd25031d16a5faf3897ebd3db99d81596f", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://johndoe:randompassword@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|packages/cli/src/init.ts|18|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/Init.ts"}, "region": {"startLine": 190}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 6022, "scanner": "repobility-threat-engine", "fingerprint": "2507d28186895a5e45994fef2bc033b2cf7742ca9804c265d8087e809032d515", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://user:password@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|packages/cli/src/studio.ts|23|postgresql://user:password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/cli/src/Studio.ts"}, "region": {"startLine": 232}}}]}]}]}