{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `livekit_server` image has no explicit tag", "shortDescription": {"text": "Compose service `livekit_server` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Prefer a named volume or a host path outside the build context. If a repo-local path is required, add it to .dockerignore and .gitignore and verify backups separately."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `convert_body` has cognitive complexity 19 (SonarSource scale). Cognitive ", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `convert_body` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 19."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 751 lines (recommend <300)", "shortDescription": {"text": "Average file size is 751 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "MINED046", "name": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger.", "shortDescription": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 41 more): Same pattern found in 41 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 33 more): Same pattern found in 33 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 83 more): Same pattern found in 83 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 83 more): Same pattern found in 83 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 211 more): Same pattern found in 211 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 211 more): Same pattern found in 211 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 72 more): Same pattern found in 72 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 72 more): Same pattern found in 72 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `crates/zed/resources/windows/bin/x64/OpenConsole.exe` committed in source repo: `crates/zed/reso", "shortDescription": {"text": "[MINED134] Binary file `crates/zed/resources/windows/bin/x64/OpenConsole.exe` committed in source repo: `crates/zed/resources/windows/bin/x64/OpenConsole.exe` is a .exe binary (1,145,344 bytes) committed to a repo that otherwise has 1865 so"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `postgres:15` unpinned: `container/services image: postgres:15` without `@s", "shortDescription": {"text": "[MINED126] Workflow container/services image `postgres:15` unpinned: `container/services image: postgres:15` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain disc"}, "fullDescription": {"text": "Replace with `postgres:15@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `bufbuild/buf-breaking-action` pinned to mutable ref `@v1`: `uses: bufbuild/buf-breaking-action@v1` re", "shortDescription": {"text": "[MINED115] Action `bufbuild/buf-breaking-action` pinned to mutable ref `@v1`: `uses: bufbuild/buf-breaking-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-fi"}, "fullDescription": {"text": "Replace with: `uses: bufbuild/buf-breaking-action@<40-char-sha>  # v1` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `rust:1.95.0` not pinned by digest: `FROM rust:1.95.0` resolves the tag at build time. The re", "shortDescription": {"text": "[MINED118] Dockerfile FROM `rust:1.95.0` not pinned by digest: `FROM rust:1.95.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should"}, "fullDescription": {"text": "Replace with: `FROM rust:1.95.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callbacks_can_be_added_and_removed` of c", "shortDescription": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callbacks_can_be_added_and_removed` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). Thi"}, "fullDescription": {"text": "Initialize `self.assertEqual = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.AZURE_SIGNING_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.AZURE_SIGNING_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_SIGNING_TENANT_ID }` lets a PR from any fork e"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/796"}, "properties": {"repository": "zed-industries/zed", "repoUrl": "https://github.com/zed-industries/zed", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 67772, "scanner": "repobility-ast-engine", "fingerprint": "ba1ce9d1bbcc1248d88b458b0579f7f9c6ba64d60863d043a3ecfae3e1b092c0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ba1ce9d1bbcc1248d88b458b0579f7f9c6ba64d60863d043a3ecfae3e1b092c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "nix/tests/a11y_atspi_test.py"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 67746, "scanner": "repobility-ast-engine", "fingerprint": "75799aff03218ad63a1737631f8555dfcf729ef09c9fc3130d57cab90340c4d0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75799aff03218ad63a1737631f8555dfcf729ef09c9fc3130d57cab90340c4d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-track-duplicate-bot-effectiveness.py"}, "region": {"startLine": 497}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 67745, "scanner": "repobility-ast-engine", "fingerprint": "1f8edb67049967e7449e92ff8eb8988ce6e6edd063b43e5ff3f36cf2b27e2df9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f8edb67049967e7449e92ff8eb8988ce6e6edd063b43e5ff3f36cf2b27e2df9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-assign-contributor-issue.py"}, "region": {"startLine": 334}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `livekit_server` image has no explicit tag"}, "properties": {"repobilityId": 67742, "scanner": "repobility-docker", "fingerprint": "36751dd0b87390bb63c11e223cb11dc3acdbe80db3846c731b9c54fe706b7691", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "docker.io/livekit/livekit-server", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|36751dd0b87390bb63c11e223cb11dc3acdbe80db3846c731b9c54fe706b7691"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 67740, "scanner": "repobility-docker", "fingerprint": "2e0b4b14e5a76a5e9dc28612d87ca8dd1aca6b60fc18262a492c76d199a4b8a7", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./.blob_store", "target": "/data", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "blob_store", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2e0b4b14e5a76a5e9dc28612d87ca8dd1aca6b60fc18262a492c76d199a4b8a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `blob_store` image has no explicit tag"}, "properties": {"repobilityId": 67737, "scanner": "repobility-docker", "fingerprint": "76e1e52f6d6e3529f794c28914121854fa9174a5fa0da11240cb79dd2aa1a3a6", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "quay.io/minio/minio", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|76e1e52f6d6e3529f794c28914121854fa9174a5fa0da11240cb79dd2aa1a3a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 67735, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 67734, "scanner": "repobility-docker", "fingerprint": "bb13a994b2e83bb81c4bee77de9b8e85322aa30668f058e681e2a25daee4af83", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${NAMESPACE_BASE_IMAGE_REF}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bb13a994b2e83bb81c4bee77de9b8e85322aa30668f058e681e2a25daee4af83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/Dockerfile.namespace"}, "region": {"startLine": 4}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 67730, "scanner": "repobility-agent-runtime", "fingerprint": "3286db64e164f714cab2b4843f135189a8d9999920e54d3473cfb949d2402c5d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|3286db64e164f714cab2b4843f135189a8d9999920e54d3473cfb949d2402c5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/background_agent_mvp.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 67697, "scanner": "repobility-threat-engine", "fingerprint": "2f5050061a3bc66648dbee493bdbd4f31085724d608a32ebadb57fb9947974c2", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a id=\"open-tab\" href=\"./{first}/\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|305|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tooling/xtask/src/tasks/web_examples.rs"}, "region": {"startLine": 305}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `convert_body` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, elif=1, else=1, for=1, if=7, nested_bonus=7."}, "properties": {"repobilityId": 67690, "scanner": "repobility-threat-engine", "fingerprint": "873e85673dbee7069fcea58cfbdefb283616c34c1073c21299151332cd4df951", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "convert_body", "breakdown": {"if": 7, "for": 1, "elif": 1, "else": 1, "continue": 2, "nested_bonus": 7}, "complexity": 19, "correlation_key": "fp|873e85673dbee7069fcea58cfbdefb283616c34c1073c21299151332cd4df951"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/flatpak/convert-release-notes.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC002", "level": "warning", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 67677, "scanner": "repobility-threat-engine", "fingerprint": "623cb5da6221985fdd4eecab77f39f74966d76e39dae4ce9d13cba8060358756", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.4 bits) \u2014 may be placeholder or common string", "evidence": {"match": "API_KEY=\"<redacted>\"", "reason": "Low entropy value (3.4 bits) \u2014 may be placeholder or common string", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|crates/util/src/redact.rs|4|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/util/src/redact.rs"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 67654, "scanner": "repobility-threat-engine", "fingerprint": "b454cef1d782438372ad96cec6c773de41edc3c3da36630058a15aa25c0d470e", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|30|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/db/queries/users.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 67653, "scanner": "repobility-threat-engine", "fingerprint": "77c89bd832aeb2dfdec58e8f7b9b62a61b311c01d0b1121001756ff996c9b2ba", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|85|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/db/queries/servers.rs"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 67652, "scanner": "repobility-threat-engine", "fingerprint": "af5f02aef39e3992c4d0bcb32e1e9375154113c3500d6b5d1a4f41e4485c4af7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|137|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/db/queries/notifications.rs"}, "region": {"startLine": 137}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 751 lines (recommend <300)"}, "properties": {"repobilityId": 67631, "scanner": "repobility-core", "fingerprint": "5230cb6e3da7e0f3a6fd5d82cc1760ef0f4976223bc689409f6bab697b544688", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|5230cb6e3da7e0f3a6fd5d82cc1760ef0f4976223bc689409f6bab697b544688"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 67744, "scanner": "repobility-docker", "fingerprint": "57ba44e87912f9385716d057cbc7f495addbe559f44df0763a39f951908d13b1", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "livekit_server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|57ba44e87912f9385716d057cbc7f495addbe559f44df0763a39f951908d13b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 67743, "scanner": "repobility-docker", "fingerprint": "f8f9f7f37c74cc696fa1aff5665eb30eeccec0c0fde9be7b2fc853bc8f720316", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "livekit_server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f8f9f7f37c74cc696fa1aff5665eb30eeccec0c0fde9be7b2fc853bc8f720316"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 67741, "scanner": "repobility-docker", "fingerprint": "15e580e49f7fa70b1f87c79cea90c782aa67020c4f68bf4aa021502cea0f2454", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "blob_store", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|15e580e49f7fa70b1f87c79cea90c782aa67020c4f68bf4aa021502cea0f2454"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 67733, "scanner": "repobility-docker", "fingerprint": "f68dc97a138968a39f669ab2165a361e7afe7846cd0654976d7745eb7925172e", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f68dc97a138968a39f669ab2165a361e7afe7846cd0654976d7745eb7925172e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/Dockerfile.namespace"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 67732, "scanner": "repobility-docker", "fingerprint": "fe51d5ad0ba53ca01d71d71c469b2aa6e36372052765a2c0de7dff481cdacdc5", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|fe51d5ad0ba53ca01d71d71c469b2aa6e36372052765a2c0de7dff481cdacdc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/Dockerfile.namespace"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67729, "scanner": "repobility-ai-code-hygiene", "fingerprint": "460ef4df5320840d4dfc19f70d1ecd6452833a880f65182e78e8cc8835506ab5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/debugger_ui/src/attach_modal.rs", "duplicate_line": 120, "correlation_key": "fp|460ef4df5320840d4dfc19f70d1ecd6452833a880f65182e78e8cc8835506ab5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/encoding_selector/src/encoding_selector.rs"}, "region": {"startLine": 190}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67728, "scanner": "repobility-ai-code-hygiene", "fingerprint": "feb05c16874485a5f28da045b4047602eb91c9b065b4bf8e67c7d15bdb37378f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/edit_prediction_cli/src/qa.rs", "duplicate_line": 139, "correlation_key": "fp|feb05c16874485a5f28da045b4047602eb91c9b065b4bf8e67c7d15bdb37378f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/edit_prediction_cli/src/repair.rs"}, "region": {"startLine": 230}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67727, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5d1d67c0915ead7cc40bec2ab810d00d835e9a5a1469285db97c65749f680fde", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/edit_prediction_cli/src/anthropic_client.rs", "duplicate_line": 132, "correlation_key": "fp|5d1d67c0915ead7cc40bec2ab810d00d835e9a5a1469285db97c65749f680fde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/edit_prediction_cli/src/openai_client.rs"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67726, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffee829ea13b2b5fa885db9cfba512d8e5eea7b0bf58e5a3f0dd3461c78b5406", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/debugger_ui/src/session/running/module_list.rs", "duplicate_line": 72, "correlation_key": "fp|ffee829ea13b2b5fa885db9cfba512d8e5eea7b0bf58e5a3f0dd3461c78b5406"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/debugger_ui/src/session/running/stack_frame_list.rs"}, "region": {"startLine": 363}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67725, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd76115815a6d0460f23ebef92af749a41557e9451b1fc42f50977b712de3e2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/debugger_ui/src/session/running/console.rs", "duplicate_line": 339, "correlation_key": "fp|fd76115815a6d0460f23ebef92af749a41557e9451b1fc42f50977b712de3e2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/debugger_ui/src/session/running/memory_view.rs"}, "region": {"startLine": 265}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67724, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ae984625065349b1993a5a829aa5dc362d845c9190aca63661141c0f5ea82c11", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/collab_ui/src/collab_panel/channel_modal.rs", "duplicate_line": 249, "correlation_key": "fp|ae984625065349b1993a5a829aa5dc362d845c9190aca63661141c0f5ea82c11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/debugger_ui/src/attach_modal.rs"}, "region": {"startLine": 122}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67723, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7274d11112789b0619dcec82b5e6df5971e66eaddd8bd0cd55ec5523a63f527", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/dap_adapters/src/gdb.rs", "duplicate_line": 55, "correlation_key": "fp|b7274d11112789b0619dcec82b5e6df5971e66eaddd8bd0cd55ec5523a63f527"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/dap_adapters/src/javascript.rs"}, "region": {"startLine": 202}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67722, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d4dbf5244e69aa021059a8803dccc1f33e067bac1acb2726d474719e0b37c435", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/dap_adapters/src/codelldb.rs", "duplicate_line": 93, "correlation_key": "fp|d4dbf5244e69aa021059a8803dccc1f33e067bac1acb2726d474719e0b37c435"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/dap_adapters/src/javascript.rs"}, "region": {"startLine": 183}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67721, "scanner": "repobility-ai-code-hygiene", "fingerprint": "764bd72617b562ccb3eabe7971a5c7eb5c32567e8a75f7bca32ffaf43bfdd7c1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/dap_adapters/src/gdb.rs", "duplicate_line": 59, "correlation_key": "fp|764bd72617b562ccb3eabe7971a5c7eb5c32567e8a75f7bca32ffaf43bfdd7c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/dap_adapters/src/go.rs"}, "region": {"startLine": 320}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67720, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7dfd95aa44267d679a9bf836047634006d37df9f2574541e3cf19752971a8d9d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent_ui/src/ui/agent_notification.rs", "duplicate_line": 34, "correlation_key": "fp|7dfd95aa44267d679a9bf836047634006d37df9f2574541e3cf19752971a8d9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab_ui/src/collab_ui.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67719, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af7b15e0a7c35fffcf227bf888d5a4debffd386954c237627f9139cc0bfdf7a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/collab_ui/src/collab_panel/channel_modal.rs", "duplicate_line": 249, "correlation_key": "fp|af7b15e0a7c35fffcf227bf888d5a4debffd386954c237627f9139cc0bfdf7a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab_ui/src/collab_panel/contact_finder.rs"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67718, "scanner": "repobility-ai-code-hygiene", "fingerprint": "24a70f9193e8ddbac1ca2ac24f5f870e389adfb5628b5331876badc49aa088e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/collab/src/db/tables/language_server.rs", "duplicate_line": 10, "correlation_key": "fp|24a70f9193e8ddbac1ca2ac24f5f870e389adfb5628b5331876badc49aa088e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/db/tables/worktree.rs"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67717, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7efdeae2177d51397150992317a0807860112202b95a3880b03a9adf476ec908", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/collab/src/db/tables/language_server.rs", "duplicate_line": 10, "correlation_key": "fp|7efdeae2177d51397150992317a0807860112202b95a3880b03a9adf476ec908"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/db/tables/project_repository.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67716, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e605a9d2f92fa2cee90edc45b2476c86ddee98cc293b9fbaff3d2b5edf95192", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/collab/src/db/tables/language_server.rs", "duplicate_line": 10, "correlation_key": "fp|6e605a9d2f92fa2cee90edc45b2476c86ddee98cc293b9fbaff3d2b5edf95192"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/db/tables/project_collaborator.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67715, "scanner": "repobility-ai-code-hygiene", "fingerprint": "712539374616f0420f0a0239fc36a58dd4643720f229bcfb3d273d019aa798f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/collab/src/db/tables/channel_buffer_collaborator.rs", "duplicate_line": 12, "correlation_key": "fp|712539374616f0420f0a0239fc36a58dd4643720f229bcfb3d273d019aa798f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/db/tables/channel_chat_participant.rs"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67714, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34f384ff585b768c968a6d57cd4e5bfb141b5cb18848dec7d6d9c5e1596cc8ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/collab/src/db/tables/buffer_operation.rs", "duplicate_line": 9, "correlation_key": "fp|34f384ff585b768c968a6d57cd4e5bfb141b5cb18848dec7d6d9c5e1596cc8ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/db/tables/buffer_snapshot.rs"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67713, "scanner": "repobility-ai-code-hygiene", "fingerprint": "621c6b47d4cf8aa6d6d8fb329b4dd0e8eea63c6ecde0d5c4ef3e8941b4e91714", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent_ui/src/ui/end_trial_upsell.rs", "duplicate_line": 17, "correlation_key": "fp|621c6b47d4cf8aa6d6d8fb329b4dd0e8eea63c6ecde0d5c4ef3e8941b4e91714"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/ai_onboarding/src/ai_onboarding.rs"}, "region": {"startLine": 172}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67712, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91bebf38e329f4fa4c589a7ba190b4704988501b38dc789bf2cbca96430e1376", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent_ui/src/language_model_selector.rs", "duplicate_line": 340, "correlation_key": "fp|91bebf38e329f4fa4c589a7ba190b4704988501b38dc789bf2cbca96430e1376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent_ui/src/profile_selector.rs"}, "region": {"startLine": 383}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67711, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3173c9c1757fc97c89da06a9f1cb16af643ff4c4227588c0d521ab6242bc7cbe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent_ui/src/agent_model_selector.rs", "duplicate_line": 96, "correlation_key": "fp|3173c9c1757fc97c89da06a9f1cb16af643ff4c4227588c0d521ab6242bc7cbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent_ui/src/model_selector_popover.rs"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67710, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7b0515b35d9402535f77acc9f4d2bb2061491331e6809d13751b18180174cf1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent_ui/src/language_model_selector.rs", "duplicate_line": 339, "correlation_key": "fp|f7b0515b35d9402535f77acc9f4d2bb2061491331e6809d13751b18180174cf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent_ui/src/model_selector.rs"}, "region": {"startLine": 162}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67709, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7bc711790a8034e4ff9c19a221db2267dbc0f12ff784198bd966790a5ea8267d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/tools/apply_code_action_tool.rs", "duplicate_line": 101, "correlation_key": "fp|7bc711790a8034e4ff9c19a221db2267dbc0f12ff784198bd966790a5ea8267d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/rename_tool.rs"}, "region": {"startLine": 84}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67708, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1a20f480ddf83436d8e6d1d6c36d4411b30bec9dd244a74a349ca39d811d5859", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/tools/find_references_tool.rs", "duplicate_line": 37, "correlation_key": "fp|1a20f480ddf83436d8e6d1d6c36d4411b30bec9dd244a74a349ca39d811d5859"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/rename_tool.rs"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67707, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03f6aee20e226639718a05b51ed295359ed0d2a6aee86c1a90fdbc4511bf1172", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/tools/copy_path_tool.rs", "duplicate_line": 71, "correlation_key": "fp|03f6aee20e226639718a05b51ed295359ed0d2a6aee86c1a90fdbc4511bf1172"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/move_path_tool.rs"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67706, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b74cdeb5ab1532e215508db56d891cfccd2de83d4563fe410008c2095a5b3f7b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/tools/find_references_tool.rs", "duplicate_line": 37, "correlation_key": "fp|b74cdeb5ab1532e215508db56d891cfccd2de83d4563fe410008c2095a5b3f7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/go_to_definition_tool.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67705, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b6e6d1f75c27b82e2bc9249d527c839f4a6b5f66d09c37762b5212de1f185552", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/tools/apply_code_action_tool.rs", "duplicate_line": 53, "correlation_key": "fp|b6e6d1f75c27b82e2bc9249d527c839f4a6b5f66d09c37762b5212de1f185552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/get_code_actions_tool.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67704, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d22fbf7d7074de7b5a2fee60c008c7d7e98e2bb5b5b9452ddd191f3079c92d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/tools/evals/terminal_tool.rs", "duplicate_line": 136, "correlation_key": "fp|8d22fbf7d7074de7b5a2fee60c008c7d7e98e2bb5b5b9452ddd191f3079c92d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/write_file.rs"}, "region": {"startLine": 100}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67703, "scanner": "repobility-ai-code-hygiene", "fingerprint": "acfd7dc8153d9f72ab56d4f0595fe37909d128287789cc4c60dfa0ec8007024b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/tools/copy_path_tool.rs", "duplicate_line": 217, "correlation_key": "fp|acfd7dc8153d9f72ab56d4f0595fe37909d128287789cc4c60dfa0ec8007024b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/delete_path_tool.rs"}, "region": {"startLine": 221}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67702, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8c773223254b949f0f483c53d56ebba627436bc80b9e7ff6f716ac212b60dcc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/tools/create_directory_tool.rs", "duplicate_line": 99, "correlation_key": "fp|8c773223254b949f0f483c53d56ebba627436bc80b9e7ff6f716ac212b60dcc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/delete_path_tool.rs"}, "region": {"startLine": 112}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67701, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b4f6c66b2415f5b1a18d44b7c07f8b8435c5f3ce4124919b179d5e3bfecd600b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/tools/copy_path_tool.rs", "duplicate_line": 217, "correlation_key": "fp|b4f6c66b2415f5b1a18d44b7c07f8b8435c5f3ce4124919b179d5e3bfecd600b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/create_directory_tool.rs"}, "region": {"startLine": 139}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 67700, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df6e0751085cb685a2d9e8de991bab32cae741193a592fa9982b48dd1002dfb7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "crates/agent/src/db.rs", "duplicate_line": 610, "correlation_key": "fp|df6e0751085cb685a2d9e8de991bab32cae741193a592fa9982b48dd1002dfb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/thread_store.rs"}, "region": {"startLine": 124}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 67699, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4557732970932674fe231fe2af81183553b04442dbac2db88990bcb39991a8b7", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|4557732970932674fe231fe2af81183553b04442dbac2db88990bcb39991a8b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/auto_update/src/auto_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 67698, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": ["AGENTS.md", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AGENTS.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `extract_duplicate_info` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, except=1, for=1, if=2, nested_bonus=2, ternary=1."}, "properties": {"repobilityId": 67692, "scanner": "repobility-threat-engine", "fingerprint": "0879e8b34781f1c149e4064476e7e0f78b3569e15f69f50e403381c0dae2ff27", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "extract_duplicate_info", "breakdown": {"if": 2, "for": 1, "except": 1, "ternary": 1, "continue": 1, "nested_bonus": 2}, "complexity": 8, "correlation_key": "fp|0879e8b34781f1c149e4064476e7e0f78b3569e15f69f50e403381c0dae2ff27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-find-top-duplicated-bugs.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `fetch_canonical_issues_with_duplicates` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, for=2, if=3, nested_bonus=5."}, "properties": {"repobilityId": 67691, "scanner": "repobility-threat-engine", "fingerprint": "0a2baa65842ecb4f6ddfcd33b7d7d46efef461fb7624a2578d58dcdd5c1d1713", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "fetch_canonical_issues_with_duplicates", "breakdown": {"if": 3, "for": 2, "break": 2, "nested_bonus": 5}, "complexity": 12, "correlation_key": "fp|0a2baa65842ecb4f6ddfcd33b7d7d46efef461fb7624a2578d58dcdd5c1d1713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-find-top-duplicated-bugs.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 67731, "scanner": "repobility-docker", "fingerprint": "46c979cfdca4801acd034dc32b434324bf9b020384b7d7199e846a947b4062b4", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${NAMESPACE_BASE_IMAGE_REF}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|46c979cfdca4801acd034dc32b434324bf9b020384b7d7199e846a947b4062b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/Dockerfile.namespace"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED046", "level": "none", "message": {"text": "[MINED046] Dart Print: print() in Flutter goes to console. Use debugPrint / logger."}, "properties": {"repobilityId": 67696, "scanner": "repobility-threat-engine", "fingerprint": "a6e5e31c2e578c1f174fc8a14f17a33606088fecf45035102da8bd977e689955", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "dart-print", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["dart"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348008+00:00", "triaged_in_corpus": 10, "observations_count": 1515005, "ai_coder_pattern_id": 168}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6e5e31c2e578c1f174fc8a14f17a33606088fecf45035102da8bd977e689955"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/triage_watcher.jl"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 67695, "scanner": "repobility-threat-engine", "fingerprint": "0ad1812700928a8e5d8b6a1ae5a21f6153e25f5489892d0debdf4f2edc1fe030", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ad1812700928a8e5d8b6a1ae5a21f6153e25f5489892d0debdf4f2edc1fe030"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-find-top-duplicated-bugs.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 67694, "scanner": "repobility-threat-engine", "fingerprint": "0616dd0a56ad7e0e70da70fc271d8966e9ae94627ae26b722f821ba23f43b007", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"Error: --github-token is required (or set GITHUB_TOKEN env var)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|20|print error: --github-token is required or set github_token env var"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-find-top-duplicated-bugs.py"}, "region": {"startLine": 210}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 67693, "scanner": "repobility-threat-engine", "fingerprint": "33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "convert_body", "breakdown": {"if": 7, "for": 1, "elif": 1, "else": 1, "continue": 2, "nested_bonus": 7}, "aggregated": true, "complexity": 19, "correlation_key": "fp|33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "aggregated_count": 1}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 67689, "scanner": "repobility-threat-engine", "fingerprint": "1361ffa9c3e6bba8c756f3d556d7d430ee765c8d57ea666109adf6c3be4e2cb1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1361ffa9c3e6bba8c756f3d556d7d430ee765c8d57ea666109adf6c3be4e2cb1", "aggregated_count": 2}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 67688, "scanner": "repobility-threat-engine", "fingerprint": "9df54ac2deb81cc0afc34487d82a115eac91f92b449cbb511e4c523e7f494512", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9df54ac2deb81cc0afc34487d82a115eac91f92b449cbb511e4c523e7f494512"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-find-top-duplicated-bugs.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 67687, "scanner": "repobility-threat-engine", "fingerprint": "12f28fcb80372c0a19db6df0f78ea121e2aa4e89efca1502fe27f60c805d9c98", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12f28fcb80372c0a19db6df0f78ea121e2aa4e89efca1502fe27f60c805d9c98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-clean-issue-types.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 67686, "scanner": "repobility-threat-engine", "fingerprint": "6999417307dbf95349f6d786daf87acc78c39adb6a4ee493e4d69f4737675a33", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6999417307dbf95349f6d786daf87acc78c39adb6a4ee493e4d69f4737675a33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/flatpak/convert-release-notes.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 67685, "scanner": "repobility-threat-engine", "fingerprint": "130c5045baecd0b9524abd6870aed08fddb81812daa325ac97b261216d6966ee", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|130c5045baecd0b9524abd6870aed08fddb81812daa325ac97b261216d6966ee"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 67681, "scanner": "repobility-threat-engine", "fingerprint": "e67b39bc1d9edd239bdc4c15c47ece8b24772b37f02c31c274777429ddd13dcc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e67b39bc1d9edd239bdc4c15c47ece8b24772b37f02c31c274777429ddd13dcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/danger/dangerfile.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67679, "scanner": "repobility-threat-engine", "fingerprint": "5475874d14bfb9bddb0f88241a735eaad896fc377802e9ac76d5dfdef0246d72", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5475874d14bfb9bddb0f88241a735eaad896fc377802e9ac76d5dfdef0246d72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/cargo-timing-info.js"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 67678, "scanner": "repobility-threat-engine", "fingerprint": "0fcc51aaa7adca66e91333c56b33aa9a663e2b673e48604c1938f9074cfae6f5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0fcc51aaa7adca66e91333c56b33aa9a663e2b673e48604c1938f9074cfae6f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/theme/plugins.js"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED041", "level": "none", "message": {"text": "[MINED041] Rust Unimplemented Macro (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 67668, "scanner": "repobility-threat-engine", "fingerprint": "a0fe648305fb8d91eb0f74d5c2afd466e9fe8ef1c16c0aefa53f87b4c7e635ae", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a0fe648305fb8d91eb0f74d5c2afd466e9fe8ef1c16c0aefa53f87b4c7e635ae", "aggregated_count": 6}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "properties": {"repobilityId": 67663, "scanner": "repobility-threat-engine", "fingerprint": "f5515a175d2c6837762b0b57b4a39928ad82d16a141f2b6219caff2577e8c3d3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5515a175d2c6837762b0b57b4a39928ad82d16a141f2b6219caff2577e8c3d3", "aggregated_count": 41}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 67662, "scanner": "repobility-threat-engine", "fingerprint": "4a4133f77d587d6dcb985938861d264434037f2d1916bec0d5e3abad4c525fda", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a4133f77d587d6dcb985938861d264434037f2d1916bec0d5e3abad4c525fda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/auto_update_helper/src/dialog.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 67661, "scanner": "repobility-threat-engine", "fingerprint": "8c2cc3578f5754315f37aa77a34819b88d71256109a77d4ca5936d1b4341bcac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8c2cc3578f5754315f37aa77a34819b88d71256109a77d4ca5936d1b4341bcac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/auto_update_helper/src/auto_update_helper.rs"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 67660, "scanner": "repobility-threat-engine", "fingerprint": "e6b756a4fb9b7bff4a836b15682cadeccbd2c94fdb5131defe0b2a199c1e52ca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e6b756a4fb9b7bff4a836b15682cadeccbd2c94fdb5131defe0b2a199c1e52ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/askpass/src/encrypted_password.rs"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 67659, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 67658, "scanner": "repobility-threat-engine", "fingerprint": "e0bbc222505bfea76ae7123f5977e58ffdaea49aebb59c96ec3b3febe235f14a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e0bbc222505bfea76ae7123f5977e58ffdaea49aebb59c96ec3b3febe235f14a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/dev_container/src/features.rs"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 67657, "scanner": "repobility-threat-engine", "fingerprint": "c2a6af7b410465da22a0cf126f051c04369fe183253df875a2eb93c779fd1987", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c2a6af7b410465da22a0cf126f051c04369fe183253df875a2eb93c779fd1987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/client/src/proxy/http_proxy.rs"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 67656, "scanner": "repobility-threat-engine", "fingerprint": "9c213c3fdd4d7fdb5be759273550fd5fcbc20d88950bfa8785ba2ad4fe8d183d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c213c3fdd4d7fdb5be759273550fd5fcbc20d88950bfa8785ba2ad4fe8d183d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/fetch_tool.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 67655, "scanner": "repobility-threat-engine", "fingerprint": "7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea"}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 33 more): Same pattern found in 33 additional files. Review if needed."}, "properties": {"repobilityId": 67651, "scanner": "repobility-threat-engine", "fingerprint": "08e0e2c56b24f79189af47926647c377565c9480cf260ae9fd9294030213435a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 33 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|08e0e2c56b24f79189af47926647c377565c9480cf260ae9fd9294030213435a", "aggregated_count": 33}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 67650, "scanner": "repobility-threat-engine", "fingerprint": "a53d92e23679dc34e7af90f446cb28598cc950048bd9b1b27ceec35ffce35115", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a53d92e23679dc34e7af90f446cb28598cc950048bd9b1b27ceec35ffce35115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/env.rs"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 67649, "scanner": "repobility-threat-engine", "fingerprint": "7c2aa307242383c98f29863f2b517dce01d65034d12499d53d3f005b0478e116", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7c2aa307242383c98f29863f2b517dce01d65034d12499d53d3f005b0478e116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/client/src/test.rs"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 67648, "scanner": "repobility-threat-engine", "fingerprint": "28d3fea70228ec59bcab7b46ee8102dcd7c4cd9db46deaf72f442a8cd284d211", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28d3fea70228ec59bcab7b46ee8102dcd7c4cd9db46deaf72f442a8cd284d211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools.rs"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 83 more): Same pattern found in 83 additional files. Review if needed."}, "properties": {"repobilityId": 67647, "scanner": "repobility-threat-engine", "fingerprint": "0e3047cd39995e86e6063df8c78b314e43f3fe89560c8c474509e77741ec3458", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 83 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0e3047cd39995e86e6063df8c78b314e43f3fe89560c8c474509e77741ec3458", "aggregated_count": 83}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 67646, "scanner": "repobility-threat-engine", "fingerprint": "53c640a69afbe0efd262d7c80fef842b325b47aa6d4e236a0979e93a3f9f56ce", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|53c640a69afbe0efd262d7c80fef842b325b47aa6d4e236a0979e93a3f9f56ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent_settings/src/user_agents_md.rs"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 67645, "scanner": "repobility-threat-engine", "fingerprint": "41e7d9aa9b11642d2e944b04da24616f8b7e0beffcd3852dc414c25f743767ef", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|41e7d9aa9b11642d2e944b04da24616f8b7e0beffcd3852dc414c25f743767ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/update_plan_tool.rs"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 67644, "scanner": "repobility-threat-engine", "fingerprint": "3d33445384ddb58dbe24db03c3486ae595905231ab7dbec46477def1274b91e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d33445384ddb58dbe24db03c3486ae595905231ab7dbec46477def1274b91e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/outline.rs"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 211 more): Same pattern found in 211 additional files. Review if needed."}, "properties": {"repobilityId": 67643, "scanner": "repobility-threat-engine", "fingerprint": "7409de12d2a81e96475da1a176b4e04e0edd0fce4940990e258e40f9f432f813", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 211 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7409de12d2a81e96475da1a176b4e04e0edd0fce4940990e258e40f9f432f813", "aggregated_count": 211}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 72 more): Same pattern found in 72 additional files. Review if needed."}, "properties": {"repobilityId": 67639, "scanner": "repobility-threat-engine", "fingerprint": "fb7d518ede90e31a211477b50d4f4a2aa505a9eb1275a4807d8272e741181d6c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 72 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 72 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fb7d518ede90e31a211477b50d4f4a2aa505a9eb1275a4807d8272e741181d6c"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 67635, "scanner": "repobility-threat-engine", "fingerprint": "82c6b69256192cc53f3e97906f4b7b1953127ff4369eaf5cc476c6a6e6d7a62f", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|82c6b69256192cc53f3e97906f4b7b1953127ff4369eaf5cc476c6a6e6d7a62f"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `crates/zed/resources/windows/bin/x64/OpenConsole.exe` committed in source repo: `crates/zed/resources/windows/bin/x64/OpenConsole.exe` is a .exe binary (1,145,344 bytes) committed to a repo that otherwise has 1865 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 67809, "scanner": "repobility-supply-chain", "fingerprint": "06f90e828e3219b6ec924087825fb99134c936d13dd9b96c3b7cdacce181d964", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06f90e828e3219b6ec924087825fb99134c936d13dd9b96c3b7cdacce181d964"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/zed/resources/windows/bin/x64/OpenConsole.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:15` unpinned: `container/services image: postgres:15` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 67808, "scanner": "repobility-supply-chain", "fingerprint": "0aa4d583ea435003207b589c71fa7e166f63a77705793dea5d607a6f43787489", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0aa4d583ea435003207b589c71fa7e166f63a77705793dea5d607a6f43787489"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_tests.yml"}, "region": {"startLine": 402}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bufbuild/buf-breaking-action` pinned to mutable ref `@v1`: `uses: bufbuild/buf-breaking-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67807, "scanner": "repobility-supply-chain", "fingerprint": "d0adb55ab47aaf9be2aa17257e9b2f046bbbf7ca7a9e0eee81d42cc6a22ac7d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0adb55ab47aaf9be2aa17257e9b2f046bbbf7ca7a9e0eee81d42cc6a22ac7d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_tests.yml"}, "region": {"startLine": 802}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `bufbuild/buf-setup-action` pinned to mutable ref `@v1`: `uses: bufbuild/buf-setup-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67806, "scanner": "repobility-supply-chain", "fingerprint": "6a216b8939ec9d9525334e1e36886c9a8bd01cd750b06193b1b4dc07dc537497", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a216b8939ec9d9525334e1e36886c9a8bd01cd750b06193b1b4dc07dc537497"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_tests.yml"}, "region": {"startLine": 797}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:15` unpinned: `container/services image: postgres:15` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 67805, "scanner": "repobility-supply-chain", "fingerprint": "adb1fb3e7ac9a45a5f91f64cb0e4a5896c01ad04b7dc08087fbe1e1c2d821a08", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|adb1fb3e7ac9a45a5f91f64cb0e4a5896c01ad04b7dc08087fbe1e1c2d821a08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `zed-industries/zed/.github/workflows/deploy_docs.yml` pinned to mutable ref `@main`: `uses: zed-industries/zed/.github/workflows/deploy_docs.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67779, "scanner": "repobility-supply-chain", "fingerprint": "c94868895c65f17401c8e4174650e776fad9b8f6795793e5b90197a8b557b5c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c94868895c65f17401c8e4174650e776fad9b8f6795793e5b90197a8b557b5c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy_nightly_docs.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:15` unpinned: `container/services image: postgres:15` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 67778, "scanner": "repobility-supply-chain", "fingerprint": "060045e26293c7884b1663956e5b30b5529dc49d10e20a21a08c09a28c5c448b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|060045e26293c7884b1663956e5b30b5529dc49d10e20a21a08c09a28c5c448b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release_nightly.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `zed-industries/zed/.github/workflows/deploy_docs.yml` pinned to mutable ref `@main`: `uses: zed-industries/zed/.github/workflows/deploy_docs.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67777, "scanner": "repobility-supply-chain", "fingerprint": "11f815ceda1dcb492a65ee6f40e5044c4912b6d025656c54a8d295a7119a1044", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11f815ceda1dcb492a65ee6f40e5044c4912b6d025656c54a8d295a7119a1044"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/after_release.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `postgres:15` unpinned: `container/services image: postgres:15` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 67776, "scanner": "repobility-supply-chain", "fingerprint": "35d3254755339b2349fbbfe9a09e81ee5180b8ca21e01d93c2990445d9181062", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35d3254755339b2349fbbfe9a09e81ee5180b8ca21e01d93c2990445d9181062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy_collab.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `digitalocean/action-doctl` pinned to mutable ref `@v2`: `uses: digitalocean/action-doctl@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67775, "scanner": "repobility-supply-chain", "fingerprint": "8b4e467487e685bf242be9dfd5bdf2425a6eafdaefbeb26f28378311797a5a3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b4e467487e685bf242be9dfd5bdf2425a6eafdaefbeb26f28378311797a5a3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy_collab.yml"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `digitalocean/action-doctl` pinned to mutable ref `@v2`: `uses: digitalocean/action-doctl@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 67774, "scanner": "repobility-supply-chain", "fingerprint": "ae24dd55ab7268bfa5d009dd9a8128e5b3ac1c51614d7745503bac152d8f8069", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae24dd55ab7268bfa5d009dd9a8128e5b3ac1c51614d7745503bac152d8f8069"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy_collab.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `rust:1.95.0` not pinned by digest: `FROM rust:1.95.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 67773, "scanner": "repobility-supply-chain", "fingerprint": "b045db9dad9d19e9a0ee85bf818d28c2e9b5eb2d6966196c848493fedf48eeed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b045db9dad9d19e9a0ee85bf818d28c2e9b5eb2d6966196c848493fedf48eeed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/eval_cli/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callbacks_can_be_added_and_removed` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67771, "scanner": "repobility-ast-engine", "fingerprint": "1c35e406e30b52517f3dd8dba06b86c65872868f23c6d4bc48673942ef56b461", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1c35e406e30b52517f3dd8dba06b86c65872868f23c6d4bc48673942ef56b461"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callbacks_can_be_added_and_removed` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67770, "scanner": "repobility-ast-engine", "fingerprint": "dba458a09f90b8b67a952723cd7243f60df6e2b52da0944d68c0e58e9b62636e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dba458a09f90b8b67a952723cd7243f60df6e2b52da0944d68c0e58e9b62636e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callbacks_can_be_added_and_removed` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67769, "scanner": "repobility-ast-engine", "fingerprint": "5bd82a2a63d4d221ce9567d07d261f2ba49ee9220dd94b95a7407ad01b9cdb2b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5bd82a2a63d4d221ce9567d07d261f2ba49ee9220dd94b95a7407ad01b9cdb2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.callback_factory` used but never assigned in __init__: Method `test_callbacks_can_be_added_and_removed` of class `ReactTest` reads `self.callback_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67768, "scanner": "repobility-ast-engine", "fingerprint": "a0ce6b18798f0d136680a163b7697c253444d88e1592d257b35a9a291f917058", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a0ce6b18798f0d136680a163b7697c253444d88e1592d257b35a9a291f917058"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.callback_factory` used but never assigned in __init__: Method `test_callbacks_can_be_added_and_removed` of class `ReactTest` reads `self.callback_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67767, "scanner": "repobility-ast-engine", "fingerprint": "844ede94e5b78af3dcc83edb1ec9805e79ebdd471cea9c0c143b9873f9a88468", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|844ede94e5b78af3dcc83edb1ec9805e79ebdd471cea9c0c143b9873f9a88468"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.callback_factory` used but never assigned in __init__: Method `test_callbacks_can_be_added_and_removed` of class `ReactTest` reads `self.callback_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67766, "scanner": "repobility-ast-engine", "fingerprint": "e1038502f58c14b984e7cf6ba33863d961f37767b8b3f4fe432ec059bb0274c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e1038502f58c14b984e7cf6ba33863d961f37767b8b3f4fe432ec059bb0274c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callbacks_can_fire_from_multiple_cells` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67765, "scanner": "repobility-ast-engine", "fingerprint": "7baf81a2d9fbc2caa21b120716b7950a58bc7c3b3af61b082e8369be239aff23", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7baf81a2d9fbc2caa21b120716b7950a58bc7c3b3af61b082e8369be239aff23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callbacks_can_fire_from_multiple_cells` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67764, "scanner": "repobility-ast-engine", "fingerprint": "39a09f4efea5983e0d1778b2fd5a8b1429315056590bfab0d4774230c8e7a8a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|39a09f4efea5983e0d1778b2fd5a8b1429315056590bfab0d4774230c8e7a8a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.callback_factory` used but never assigned in __init__: Method `test_callbacks_can_fire_from_multiple_cells` of class `ReactTest` reads `self.callback_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67763, "scanner": "repobility-ast-engine", "fingerprint": "7824320a6fdd92e8dac81dc6b920db0accba017939f059189d872e0863d41c61", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7824320a6fdd92e8dac81dc6b920db0accba017939f059189d872e0863d41c61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.callback_factory` used but never assigned in __init__: Method `test_callbacks_can_fire_from_multiple_cells` of class `ReactTest` reads `self.callback_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67762, "scanner": "repobility-ast-engine", "fingerprint": "1fa16ae60882c6d26ec74387d8cfd39a0e683dbce286395f6dfbe64725a2060b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1fa16ae60882c6d26ec74387d8cfd39a0e683dbce286395f6dfbe64725a2060b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callbacks_do_not_report_already_reported_values` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67761, "scanner": "repobility-ast-engine", "fingerprint": "6d6d94d1f47bae38ee0bbc447c35667a161b747a65efc7129ff8b01e6b5e24ee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d6d94d1f47bae38ee0bbc447c35667a161b747a65efc7129ff8b01e6b5e24ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callbacks_do_not_report_already_reported_values` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67760, "scanner": "repobility-ast-engine", "fingerprint": "fc7582f23789d06af04d0e5d0ccdd468e684c3d0fc588b5f789f541b058b1eb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fc7582f23789d06af04d0e5d0ccdd468e684c3d0fc588b5f789f541b058b1eb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.callback_factory` used but never assigned in __init__: Method `test_callbacks_do_not_report_already_reported_values` of class `ReactTest` reads `self.callback_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67759, "scanner": "repobility-ast-engine", "fingerprint": "795e45c228c7839e439b5fdd3475318d175de7184b8b81e54a998f52e448b4de", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|795e45c228c7839e439b5fdd3475318d175de7184b8b81e54a998f52e448b4de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callback_cells_only_fire_on_change` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67758, "scanner": "repobility-ast-engine", "fingerprint": "3d08732b98e4467bfe4b4cb6719e1c83330a6e31a0d32353c37ab16c18caa3ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3d08732b98e4467bfe4b4cb6719e1c83330a6e31a0d32353c37ab16c18caa3ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_callback_cells_only_fire_on_change` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67757, "scanner": "repobility-ast-engine", "fingerprint": "f744676196f9e9f95140f7967154704af2432340bb6b3c8440998e8bf0f8158b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f744676196f9e9f95140f7967154704af2432340bb6b3c8440998e8bf0f8158b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.callback_factory` used but never assigned in __init__: Method `test_callback_cells_only_fire_on_change` of class `ReactTest` reads `self.callback_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67756, "scanner": "repobility-ast-engine", "fingerprint": "57e3d96ebf52bbf67845c9ccd82e759b753bf0041058b8b24562436e41931944", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|57e3d96ebf52bbf67845c9ccd82e759b753bf0041058b8b24562436e41931944"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_compute_cells_fire_callbacks` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67755, "scanner": "repobility-ast-engine", "fingerprint": "edd37b72d39dc4c07e13d9e835fbae9035811a78172db3b7ca84521b7f5003a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|edd37b72d39dc4c07e13d9e835fbae9035811a78172db3b7ca84521b7f5003a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.callback_factory` used but never assigned in __init__: Method `test_compute_cells_fire_callbacks` of class `ReactTest` reads `self.callback_factory`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67754, "scanner": "repobility-ast-engine", "fingerprint": "5be6cb1b01086ac109e1fb46508eea9284ceb1b0baece37ba2d9515bf3c1cd8e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5be6cb1b01086ac109e1fb46508eea9284ceb1b0baece37ba2d9515bf3c1cd8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_compute_cells_can_depend_on_other_compute_cells` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67753, "scanner": "repobility-ast-engine", "fingerprint": "a034b0e724703b9c8846d1b94c4ba02f56406767208de66a609c253e249f2685", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a034b0e724703b9c8846d1b94c4ba02f56406767208de66a609c253e249f2685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_compute_cells_can_depend_on_other_compute_cells` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67752, "scanner": "repobility-ast-engine", "fingerprint": "028bd7fded1e4c3ed54a8783a3a4a6dab655e57efb66e9ff73a28cde3b41874e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|028bd7fded1e4c3ed54a8783a3a4a6dab655e57efb66e9ff73a28cde3b41874e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_compute_cells_update_value_when_dependencies_are_changed` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67751, "scanner": "repobility-ast-engine", "fingerprint": "8e1168642af332b64f828d4d9caab9811a5237eeb238260a3177bd3881c70b11", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8e1168642af332b64f828d4d9caab9811a5237eeb238260a3177bd3881c70b11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_compute_cells_take_inputs_in_the_right_order` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67750, "scanner": "repobility-ast-engine", "fingerprint": "35f49e187dc570f635794b45cfeacb561b62131c33a20f011dc63b313028fe62", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|35f49e187dc570f635794b45cfeacb561b62131c33a20f011dc63b313028fe62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_compute_cells_calculate_initial_value` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67749, "scanner": "repobility-ast-engine", "fingerprint": "02050088cf6166fca6c6d28e58cbc47d0db09a6ef4fdaf808d71c8877d42f76e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|02050088cf6166fca6c6d28e58cbc47d0db09a6ef4fdaf808d71c8877d42f76e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_an_input_cell_s_value_can_be_set` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67748, "scanner": "repobility-ast-engine", "fingerprint": "5fe478d13c6921ee44fb16d79d8082e15fdb9d2aaa4252c6f461a6ca4e3837ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5fe478d13c6921ee44fb16d79d8082e15fdb9d2aaa4252c6f461a6ca4e3837ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_input_cells_have_a_value` of class `ReactTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 67747, "scanner": "repobility-ast-engine", "fingerprint": "dd402a3196cd2f234889ff3ec845db9e9ab41333f057baf0168ee9a31e130c7d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|dd402a3196cd2f234889ff3ec845db9e9ab41333f057baf0168ee9a31e130c7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/tools/evals/fixtures/zode/react_test.py"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 67739, "scanner": "repobility-docker", "fingerprint": "2ef32ce2cfd29e73ada1891f56a01d79f300b2800cd40b0df8efb7d2bef7313e", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "9000:9000", "target": "9000", "host_ip": "", "published": "9000"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "blob_store", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|2ef32ce2cfd29e73ada1891f56a01d79f300b2800cd40b0df8efb7d2bef7313e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 67736, "scanner": "repobility-docker", "fingerprint": "7cc740314fe4f4c6cb6ab267beae6e877608ce65d7075123986bc1016954a2f7", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7cc740314fe4f4c6cb6ab267beae6e877608ce65d7075123986bc1016954a2f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/eval_cli/Dockerfile"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 67684, "scanner": "repobility-threat-engine", "fingerprint": "40cb6197533637de3edd0949b55fadeab8a38fa502631d995d2f41206538be63", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|40cb6197533637de3edd0949b55fadeab8a38fa502631d995d2f41206538be63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-find-top-duplicated-bugs.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 67683, "scanner": "repobility-threat-engine", "fingerprint": "98f08049ed24a8e54184ca97b43b2a498f40fc5f825bb0fb50610585db2841ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|98f08049ed24a8e54184ca97b43b2a498f40fc5f825bb0fb50610585db2841ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/github-clean-issue-types.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 67682, "scanner": "repobility-threat-engine", "fingerprint": "0846cc774416690f945583be976c56a1f1524ffb64c67fdf608c3252fbeeec46", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0846cc774416690f945583be976c56a1f1524ffb64c67fdf608c3252fbeeec46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/flatpak/convert-release-notes.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 67680, "scanner": "repobility-threat-engine", "fingerprint": "3b63f647056a64a9a358acd2ad75254903825d34b5eccb93b268c768b40fe725", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((issue) => `#${issue}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b63f647056a64a9a358acd2ad75254903825d34b5eccb93b268c768b40fe725"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "script/danger/dangerfile.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 67675, "scanner": "repobility-threat-engine", "fingerprint": "4bcb2e2c1afb86921cb193c9a753e74daaa3efdc7d377d07383782838a95922b", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "bytes(body.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4bcb2e2c1afb86921cb193c9a753e74daaa3efdc7d377d07383782838a95922b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/http_client/src/async_body.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 67674, "scanner": "repobility-threat-engine", "fingerprint": "36b743ebba0539bcf99d577f959909a715f6fdaf07e10deee7852816174c3eb2", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(RawOpenRequest", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|49|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/zed/src/zed/windows_only_instance.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 67673, "scanner": "repobility-threat-engine", "fingerprint": "a194cc68a4f2b274863199f4b0e8bd9eef5a5fc5b7170d9edb5f27324a266e12", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(RawOpenRequest", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|58|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/zed/src/zed/open_url_modal.rs"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 67672, "scanner": "repobility-threat-engine", "fingerprint": "a55d6ec703c9033d34be89cedc969c6f9a74841a5711bf48fc9cf1d3368c1222", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(&mut self, client: &mut C, input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|37|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/gpui_linux/src/linux/x11/xim_handler.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 67671, "scanner": "repobility-threat-engine", "fingerprint": "fd8fdad3acda68ae81c7287eca1b3446179f304a601b2ad4fafb94913ef70c88", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd8fdad3acda68ae81c7287eca1b3446179f304a601b2ad4fafb94913ef70c88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/git/src/git.rs"}, "region": {"startLine": 153}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 67670, "scanner": "repobility-threat-engine", "fingerprint": "2cd13dd3343e7265789b049d2a3809da965d1dd0afd4643fd881b3c1c1ed7132", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(indoc", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2cd13dd3343e7265789b049d2a3809da965d1dd0afd4643fd881b3c1c1ed7132"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/sqlez/src/savepoint.rs"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 67669, "scanner": "repobility-threat-engine", "fingerprint": "95ea657590009462320f785f26c0c6bd9aaff1c9585f5362053f72cc9f2c4eb9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(tx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95ea657590009462320f785f26c0c6bd9aaff1c9585f5362053f72cc9f2c4eb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/db/queries/notifications.rs"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 67667, "scanner": "repobility-threat-engine", "fingerprint": "7394601f9e8e1af6baee690daeb673413160c29be4ba5058fa990bbb888cde1f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7394601f9e8e1af6baee690daeb673413160c29be4ba5058fa990bbb888cde1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/services/user_service.rs"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 67666, "scanner": "repobility-threat-engine", "fingerprint": "074acfc7684a85b68c880bb7a4b3039d135593efed45eab80fee13c6c11338ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|074acfc7684a85b68c880bb7a4b3039d135593efed45eab80fee13c6c11338ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/api/events.rs"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 67665, "scanner": "repobility-threat-engine", "fingerprint": "a5c147c3efa8b8f8136139964a73ee73206916634c2cc923fa89195e7551b93c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5c147c3efa8b8f8136139964a73ee73206916634c2cc923fa89195e7551b93c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/collab/src/api.rs"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 67642, "scanner": "repobility-threat-engine", "fingerprint": "7c392bd75d84748af64b6e8b2263f79f8fd6db3c64430aec21a79fb92f48cf84", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7c392bd75d84748af64b6e8b2263f79f8fd6db3c64430aec21a79fb92f48cf84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/templates.rs"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 67641, "scanner": "repobility-threat-engine", "fingerprint": "f0793f11941a6c9aab35ec83bfbeb88b9397250792be59ae19da0c0648e0cc72", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f0793f11941a6c9aab35ec83bfbeb88b9397250792be59ae19da0c0648e0cc72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/outline.rs"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 67640, "scanner": "repobility-threat-engine", "fingerprint": "f9e8dbcfb7433075e30aa2f278724ce8ebef5a39a42d3ce80fecd1d4431cf165", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9e8dbcfb7433075e30aa2f278724ce8ebef5a39a42d3ce80fecd1d4431cf165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/native_agent_server.rs"}, "region": {"startLine": 74}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67638, "scanner": "repobility-threat-engine", "fingerprint": "5d17eea487dd325462260c082044427cd486e4575344c02295ff8233fee9e532", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cx.update(|cx| {\n            let settings = SettingsStore::test(cx);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d17eea487dd325462260c082044427cd486e4575344c02295ff8233fee9e532"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/outline.rs"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67637, "scanner": "repobility-threat-engine", "fingerprint": "504b14191f544bbc7b29aa96cde19b2fec666eceb2020e48b7fab90c1a234ab7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cx.update(|cx| {\n                let registry = language_model::LanguageModelRegistry::", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|504b14191f544bbc7b29aa96cde19b2fec666eceb2020e48b7fab90c1a234ab7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent/src/native_agent_server.rs"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 67636, "scanner": "repobility-threat-engine", "fingerprint": "5efc2124d035aa6f38817189dd4a173158a591ef2f9b88b0f7a7fe8184fabf89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.terminal.update(cx, |terminal, _cx| {\n            terminal.kill_active_task();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5efc2124d035aa6f38817189dd4a173158a591ef2f9b88b0f7a7fe8184fabf89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/acp_thread/src/terminal.rs"}, "region": {"startLine": 197}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67634, "scanner": "repobility-threat-engine", "fingerprint": "1684faf40eceb119bc6c562491a99e2c99700ca470f8e5df8647e67ba1b4e064", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1684faf40eceb119bc6c562491a99e2c99700ca470f8e5df8647e67ba1b4e064"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/agent_ui/src/ui/end_trial_upsell.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67633, "scanner": "repobility-threat-engine", "fingerprint": "2fd5f868a8b4aecb57e5105d2caa057029ddd7bb23f4697ce2d6289ef7867d3f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2fd5f868a8b4aecb57e5105d2caa057029ddd7bb23f4697ce2d6289ef7867d3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cloudflare/open-source-website-assets/src/worker.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 67632, "scanner": "repobility-threat-engine", "fingerprint": "761e1a6f2a9118d7f04d3869d530dc3f5a9ab4648b10abf0d1deff8c219c80ec", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|761e1a6f2a9118d7f04d3869d530dc3f5a9ab4648b10abf0d1deff8c219c80ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cloudflare/docs-proxy/src/worker.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AZURE_SIGNING_TENANT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AZURE_SIGNING_TENANT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67804, "scanner": "repobility-supply-chain", "fingerprint": "65921a38399305da68c67ad850482a83381c64ab5fb209c0744b0b17acf926ed", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65921a38399305da68c67ad850482a83381c64ab5fb209c0744b0b17acf926ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 188}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_SENTRY_MINIDUMP_ENDPOINT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_SENTRY_MINIDUMP_ENDPOINT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67803, "scanner": "repobility-supply-chain", "fingerprint": "d2c0aaa6e75a3603d78677cb771929d9ca5e760cce78adb73e3c6d5caab8f0da", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2c0aaa6e75a3603d78677cb771929d9ca5e760cce78adb73e3c6d5caab8f0da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_CLIENT_CHECKSUM_SEED` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_CLIENT_CHECKSUM_SEED }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67802, "scanner": "repobility-supply-chain", "fingerprint": "03d154fc94ceba52779b8b6262c2b0dd834a815e5e8daaa048a5d4779a7a23ff", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03d154fc94ceba52779b8b6262c2b0dd834a815e5e8daaa048a5d4779a7a23ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67801, "scanner": "repobility-supply-chain", "fingerprint": "1447f564c3d973badab201a92270e1e2024b8b4c229e1ddcb07c4b48531e18bb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1447f564c3d973badab201a92270e1e2024b8b4c229e1ddcb07c4b48531e18bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_NOTARIZATION_ISSUER_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_NOTARIZATION_ISSUER_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67800, "scanner": "repobility-supply-chain", "fingerprint": "62c9384d7f799fb17ff8e2ad8d43a343cffd84082d5611f18bb16cca7144d5ca", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|62c9384d7f799fb17ff8e2ad8d43a343cffd84082d5611f18bb16cca7144d5ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_NOTARIZATION_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_NOTARIZATION_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67799, "scanner": "repobility-supply-chain", "fingerprint": "8638da853cb36746029eab5c8f485d4a173d88fa254b9be7dd1123bbf62a7532", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8638da853cb36746029eab5c8f485d4a173d88fa254b9be7dd1123bbf62a7532"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_NOTARIZATION_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_NOTARIZATION_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67798, "scanner": "repobility-supply-chain", "fingerprint": "9190c2d7886fc1548b386b4b1fae672ccc6fc82eb15544e3a58d1f7e6db7b0e1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9190c2d7886fc1548b386b4b1fae672ccc6fc82eb15544e3a58d1f7e6db7b0e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MACOS_CERTIFICATE_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MACOS_CERTIFICATE_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67797, "scanner": "repobility-supply-chain", "fingerprint": "c54b8eaca78f41cf4f9b2538f91f1ed67d69bbe307d61349968488b52fc1e5de", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c54b8eaca78f41cf4f9b2538f91f1ed67d69bbe307d61349968488b52fc1e5de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MACOS_CERTIFICATE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MACOS_CERTIFICATE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67796, "scanner": "repobility-supply-chain", "fingerprint": "ef1447f6fc60ba7d554e28e83e2e772fdda0cb22c7bb4fab2b22bfcf8dd747f0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef1447f6fc60ba7d554e28e83e2e772fdda0cb22c7bb4fab2b22bfcf8dd747f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_SENTRY_MINIDUMP_ENDPOINT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_SENTRY_MINIDUMP_ENDPOINT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67795, "scanner": "repobility-supply-chain", "fingerprint": "c484d67ef8c401478eaacca9e741c89a36f0f1150d616c0f0cc3a04dd607b12b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c484d67ef8c401478eaacca9e741c89a36f0f1150d616c0f0cc3a04dd607b12b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_CLIENT_CHECKSUM_SEED` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_CLIENT_CHECKSUM_SEED }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67794, "scanner": "repobility-supply-chain", "fingerprint": "d161682872b98961e928e5cbc2b2ed5321f40b49ef6b6305930adbc013c1b397", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d161682872b98961e928e5cbc2b2ed5321f40b49ef6b6305930adbc013c1b397"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67793, "scanner": "repobility-supply-chain", "fingerprint": "0a7b6cda051c2106fa64923a59d3243376093c4e339cbd4a28ec567390bcb14b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a7b6cda051c2106fa64923a59d3243376093c4e339cbd4a28ec567390bcb14b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_NOTARIZATION_ISSUER_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_NOTARIZATION_ISSUER_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67792, "scanner": "repobility-supply-chain", "fingerprint": "c4c2219e500dc1b97c2c7cb45f0a684ad313ae75c2ee7a20e92c262ef42a3ea6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4c2219e500dc1b97c2c7cb45f0a684ad313ae75c2ee7a20e92c262ef42a3ea6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_NOTARIZATION_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_NOTARIZATION_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67791, "scanner": "repobility-supply-chain", "fingerprint": "27f9fae6f2997c4945a8bb2ea42c5b97e2e1cf80546ed4a0d71e2d0fabab9418", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27f9fae6f2997c4945a8bb2ea42c5b97e2e1cf80546ed4a0d71e2d0fabab9418"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_NOTARIZATION_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_NOTARIZATION_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67790, "scanner": "repobility-supply-chain", "fingerprint": "48c8add421b395861d2c9f2b82a72d00838121e9e5ff09503427c89ab251d69e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48c8add421b395861d2c9f2b82a72d00838121e9e5ff09503427c89ab251d69e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MACOS_CERTIFICATE_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MACOS_CERTIFICATE_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67789, "scanner": "repobility-supply-chain", "fingerprint": "fad9165dfc61f21b69e496bf79028e9a993b08aa3543ff28cca0c89c5ebc34ea", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fad9165dfc61f21b69e496bf79028e9a993b08aa3543ff28cca0c89c5ebc34ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MACOS_CERTIFICATE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MACOS_CERTIFICATE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67788, "scanner": "repobility-supply-chain", "fingerprint": "e3574be9d84ac5517473c1d0d06e93011019677b4455f7387a2228b5d89934be", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3574be9d84ac5517473c1d0d06e93011019677b4455f7387a2228b5d89934be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_SENTRY_MINIDUMP_ENDPOINT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_SENTRY_MINIDUMP_ENDPOINT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67787, "scanner": "repobility-supply-chain", "fingerprint": "1ef8a4dd68c0344fc193b0e68af9716f4521ec29b95a14e46f403cf3b8dddfae", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ef8a4dd68c0344fc193b0e68af9716f4521ec29b95a14e46f403cf3b8dddfae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_CLIENT_CHECKSUM_SEED` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_CLIENT_CHECKSUM_SEED }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67786, "scanner": "repobility-supply-chain", "fingerprint": "2d5adedadd648db0f8b8b4c8abdf2ea73accb8e95234c43db0a2dcab43b33a1b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2d5adedadd648db0f8b8b4c8abdf2ea73accb8e95234c43db0a2dcab43b33a1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67785, "scanner": "repobility-supply-chain", "fingerprint": "793904c1254ed3263710a2bfcb23a0cfc438fd7546ace84ab4171207a3880687", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|793904c1254ed3263710a2bfcb23a0cfc438fd7546ace84ab4171207a3880687"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_SENTRY_MINIDUMP_ENDPOINT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_SENTRY_MINIDUMP_ENDPOINT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67784, "scanner": "repobility-supply-chain", "fingerprint": "34858e896a9e1bb9fc5d7b22320e59041069fa61953d0f62229e22a476378ebd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34858e896a9e1bb9fc5d7b22320e59041069fa61953d0f62229e22a476378ebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_CLIENT_CHECKSUM_SEED` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_CLIENT_CHECKSUM_SEED }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67783, "scanner": "repobility-supply-chain", "fingerprint": "7d2b1ebac3626714d633bb97304c435d9f54a71d8b374775fd43d72f172dfdb0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d2b1ebac3626714d633bb97304c435d9f54a71d8b374775fd43d72f172dfdb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67782, "scanner": "repobility-supply-chain", "fingerprint": "b99af85432db8db2d6aa0008b635c46a344c6bc5f598904d41c1c7367add3524", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b99af85432db8db2d6aa0008b635c46a344c6bc5f598904d41c1c7367add3524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_SENTRY_MINIDUMP_ENDPOINT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_SENTRY_MINIDUMP_ENDPOINT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67781, "scanner": "repobility-supply-chain", "fingerprint": "82aa665ad348aa6913224917fbb77c44a447c6a7659e6bfc6ad1ce5778573a0b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82aa665ad348aa6913224917fbb77c44a447c6a7659e6bfc6ad1ce5778573a0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ZED_CLIENT_CHECKSUM_SEED` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ZED_CLIENT_CHECKSUM_SEED }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 67780, "scanner": "repobility-supply-chain", "fingerprint": "38e434f162bf0dfc47a4c25be27a97b355f743191349a78a7d9821e91fd46587", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38e434f162bf0dfc47a4c25be27a97b355f743191349a78a7d9821e91fd46587"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run_bundling.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 67738, "scanner": "repobility-docker", "fingerprint": "d6ade188c7633911a4b82baa7dd9c579ec80c0674e17ce39a26ad59aa77892bd", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "blob_store", "variable": "MINIO_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|d6ade188c7633911a4b82baa7dd9c579ec80c0674e17ce39a26ad59aa77892bd", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 67676, "scanner": "repobility-threat-engine", "fingerprint": "cade5242b1666e1e5f300585e45fac480e56e2f955145e28e4ddefcc765d51bb", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(prettierPath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cade5242b1666e1e5f300585e45fac480e56e2f955145e28e4ddefcc765d51bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/prettier/src/prettier_server.js"}, "region": {"startLine": 268}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 67664, "scanner": "repobility-threat-engine", "fingerprint": "04f24657949de6359761c6e71a1ff59c4278a7c0d4c96c85a940b8d462d34813", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|04f24657949de6359761c6e71a1ff59c4278a7c0d4c96c85a940b8d462d34813"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "crates/client/src/proxy/http_proxy.rs"}, "region": {"startLine": 181}}}]}]}]}