{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Require an explicit isolated profile for auto-approve modes. Keep safe defaults interactive, add visible warnings, and block these modes when the workspace contains secrets or production deploy credentials."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AGT014", "name": "Codex auth.json is read or copied without visible secret-file hardening", "shortDescription": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "fullDescription": {"text": "Use the platform credential store where possible. If auth files must be touched, enforce 0600 permissions, avoid backups in the repo/workspace, redact logs, and document rotation if the file is exposed."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Parse only usage metadata by default. Redact prompts, tool arguments, file paths, and message content before storage, telemetry, export, screenshots, or support bundles."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 5 more): Same pattern found in 5 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 3 more): Same pattern found in 3 a", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 12 more): Same pattern found in 12 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED013] Password In Url (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 52 more): Same pattern found in 52 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 44 more): Same pattern found in 44 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 73 more): Same pattern found in 73 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 73 more): Same pattern found in 73 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-r", "shortDescription": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025"}, "fullDescription": {"text": "Replace with: `uses: actions/setup-node@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `docker.io/cloudflare/sandbox:0.7.0` not pinned by digest: `FROM docker.io/cloudflare/sandbox", "shortDescription": {"text": "[MINED118] Dockerfile FROM `docker.io/cloudflare/sandbox:0.7.0` not pinned by digest: `FROM docker.io/cloudflare/sandbox:0.7.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is p"}, "fullDescription": {"text": "Replace with: `FROM docker.io/cloudflare/sandbox:0.7.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /routine-triggers/public/:publicId/fire has no auth: Express route POST /routine-triggers/public", "shortDescription": {"text": "[MINED113] Express POST /routine-triggers/public/:publicId/fire has no auth: Express route POST /routine-triggers/public/:publicId/fire declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on"}, "fullDescription": {"text": "Add an auth middleware: app.post('/routine-triggers/public/:publicId/fire', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED114", "name": "[MINED114] Admin endpoint without auth: PUT /admin/users/:userId/company-access: Express route on /admin path (/admin/us", "shortDescription": {"text": "[MINED114] Admin endpoint without auth: PUT /admin/users/:userId/company-access: Express route on /admin path (/admin/users/:userId/company-access) with no auth middleware."}, "fullDescription": {"text": "Add an auth middleware: app.put('/admin/users/:userId/company-access', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "critical", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/839"}, "properties": {"repository": "paperclipai/paperclip", "repoUrl": "https://github.com/paperclipai/paperclip", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 75276, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 75275, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 75264, "scanner": "repobility-docker", "fingerprint": "cac54774da8655a6532b02d1595b10a1afd2bca1cba8ab30b33108f580f50375", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "docker.io/cloudflare/sandbox:0.7.0", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cac54774da8655a6532b02d1595b10a1afd2bca1cba8ab30b33108f580f50375"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugins/sandbox-providers/cloudflare/bridge-template/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 75263, "scanner": "repobility-docker", "fingerprint": "aa1c05f0dc33b5172425bb7aa7cc8ecc6d477b2c4ab9a79a0a4e9f29230fedfd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|aa1c05f0dc33b5172425bb7aa7cc8ecc6d477b2c4ab9a79a0a4e9f29230fedfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/openclaw-smoke/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 75261, "scanner": "repobility-docker", "fingerprint": "2ec176811dd4e67e33eed82ff651a28c0f7353096dca69f687a864f0edf5b782", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2ec176811dd4e67e33eed82ff651a28c0f7353096dca69f687a864f0edf5b782"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 55}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 75260, "scanner": "repobility-docker", "fingerprint": "d9035bfa3dcf04c2e10bc6a79a381f1fe95cac3976f3b8082df18210fcf17ed8", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d9035bfa3dcf04c2e10bc6a79a381f1fe95cac3976f3b8082df18210fcf17ed8", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 75259, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "packages/db/src/migrations/0059_plugin_database_namespaces.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 75258, "scanner": "repobility-agent-runtime", "fingerprint": "af067cbfa5011d18c40e049682ac02654ad4b7871bb448c9b3b8d70d0d5a125e", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|af067cbfa5011d18c40e049682ac02654ad4b7871bb448c9b3b8d70d0d5a125e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/shared/trust.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 75257, "scanner": "repobility-agent-runtime", "fingerprint": "c23798b2a24cd4469431c4178873bcb264393aeb1e3bcaea9a155afc7413c1f4", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|c23798b2a24cd4469431c4178873bcb264393aeb1e3bcaea9a155afc7413c1f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/index.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 75256, "scanner": "repobility-agent-runtime", "fingerprint": "822b46d83617e6962e35473b24e23ec64929244d89703802f92132a1773611a9", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|822b46d83617e6962e35473b24e23ec64929244d89703802f92132a1773611a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/index.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 75255, "scanner": "repobility-agent-runtime", "fingerprint": "bd98e884a29cbbd3e20915fdb739417aaa8d55bf80d9ac37dc65ab49b4a31449", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|bd98e884a29cbbd3e20915fdb739417aaa8d55bf80d9ac37dc65ab49b4a31449"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/server/quota.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 75254, "scanner": "repobility-agent-runtime", "fingerprint": "40c797d9e8b66e46e069f2b8ab04f8d3b74638302ff595b6ebae81e8d44d7c71", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|40c797d9e8b66e46e069f2b8ab04f8d3b74638302ff595b6ebae81e8d44d7c71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/server/execute.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 75253, "scanner": "repobility-agent-runtime", "fingerprint": "62c867abc85b44949c440fc76684163e2335c4593829b2e76a2a20418506c770", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|62c867abc85b44949c440fc76684163e2335c4593829b2e76a2a20418506c770"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/index.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "AGT014", "level": "warning", "message": {"text": "Codex auth.json is read or copied without visible secret-file hardening"}, "properties": {"repobilityId": 75252, "scanner": "repobility-agent-runtime", "fingerprint": "ecc58b3ddf99d4d93dd2c478ef9b6c5a04bc260782e38b8d70bf0d773c3ce9f9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File references Codex auth.json or CODEX_HOME with read/copy/write behavior and no visible permission or secure-storage guard.", "evidence": {"rule_id": "AGT014", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ecc58b3ddf99d4d93dd2c478ef9b6c5a04bc260782e38b8d70bf0d773c3ce9f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/acpx-local/src/server/test.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 75251, "scanner": "repobility-agent-runtime", "fingerprint": "089a71deb772d7100fe39e7e2e00832789616e894592da0110eb0c9479028e1a", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|089a71deb772d7100fe39e7e2e00832789616e894592da0110eb0c9479028e1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-utils/src/execution-target.ts"}, "region": {"startLine": 569}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 75219, "scanner": "repobility-threat-engine", "fingerprint": "8236b79aaec6464698a084ad39b269638b1405dad95ad4aeaf3aa7b67ffe167f", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(window.location.href, \"_blank\", \"noopener,noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|87|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/StandaloneBrowserControls.tsx"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 75212, "scanner": "repobility-threat-engine", "fingerprint": "4a1beff601c76e25148fac5e6a6988cdb4e70caa7b76098f9c754bca51f58d96", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 8)}`,\n                name,\n                key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a1beff601c76e25148fac5e6a6988cdb4e70caa7b76098f9c754bca51f58d96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/storybook/stories/secrets.stories.tsx"}, "region": {"startLine": 147}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 75211, "scanner": "repobility-threat-engine", "fingerprint": "e73ce8c0ee8312c4181f914295cd237d7b1f2f0cf8dd26e30a4aead48375a77e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2, 8)}`,\n            name,\n            key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e73ce8c0ee8312c4181f914295cd237d7b1f2f0cf8dd26e30a4aead48375a77e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/storybook/stories/routine-secrets.stories.tsx"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 75210, "scanner": "repobility-threat-engine", "fingerprint": "9c2d3b8e4a048e20e081e006ca28449a3f7b5cda276be1426ee5e11680fa07bd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ive: true });\n\n      const tempPath = `${targetPath}.tmp-${Date.now()}-${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9c2d3b8e4a048e20e081e006ca28449a3f7b5cda276be1426ee5e11680fa07bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/storage/local-disk-provider.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 75198, "scanner": "repobility-threat-engine", "fingerprint": "f9d941a969d752ea91751f6ea0ea14b9ff7d8285409ecf0b41b7d6974eaa45f5", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "verify=false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|scripts/release.sh|12|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release.sh"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 75189, "scanner": "repobility-threat-engine", "fingerprint": "5a58b0d8a21ef91ad26f6bbc918fce4a92dc3634b33f105aa7fb4bc5e4851d4f", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|116|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugins/sandbox-providers/cloudflare/bridge-template/src/exec.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 75188, "scanner": "repobility-threat-engine", "fingerprint": "2e75cafad2329541dd62b03bd0c34962dc658cff6c445a116c2478b8e9d8a21c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|4|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugins/sandbox-providers/cloudflare/bridge-template/src/auth.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 75187, "scanner": "repobility-threat-engine", "fingerprint": "1063fa51f642b0705925801685f8d223d7388c6f3a18bfabb9ba36667da39ed4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|76|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/grok-local/src/server/test.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 75184, "scanner": "repobility-threat-engine", "fingerprint": "27a4681077d86e3aa424dec45a7d7d235734ef407986bede0fcd318e8cc19397", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|27a4681077d86e3aa424dec45a7d7d235734ef407986bede0fcd318e8cc19397"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/gemini-local/src/server/skills.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 75183, "scanner": "repobility-threat-engine", "fingerprint": "e9550717e42dba1357c020adb1da166b097271a61db4079650412834c9d835ca", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9550717e42dba1357c020adb1da166b097271a61db4079650412834c9d835ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/server/skills.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 75182, "scanner": "repobility-threat-engine", "fingerprint": "43b5cd5be60d050673a1fca0988a318f08ecc33e15fa2c0ee1e657205525d34b", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43b5cd5be60d050673a1fca0988a318f08ecc33e15fa2c0ee1e657205525d34b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/server/prompt-cache.ts"}, "region": {"startLine": 130}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 75274, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 75273, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 75272, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 75271, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 75268, "scanner": "repobility-docker", "fingerprint": "646782cf6706192962a4dfda7b82c637df2353e54484aa74c30ad7e61de64f4f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|646782cf6706192962a4dfda7b82c637df2353e54484aa74c30ad7e61de64f4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 75267, "scanner": "repobility-docker", "fingerprint": "d9fa1e4c8f610aa95c842f4e684955786456606f31f6d89dc56d31ea8b45d004", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "server", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d9fa1e4c8f610aa95c842f4e684955786456606f31f6d89dc56d31ea8b45d004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 75262, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c71325e9bbdfce9242aecc2e6b1e7ebc5dcb6210536add7f32c50a8f8f3ca6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/codex-local/src/server/execute.ts", "duplicate_line": 371, "correlation_key": "fp|0c71325e9bbdfce9242aecc2e6b1e7ebc5dcb6210536add7f32c50a8f8f3ca6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/gemini-local/src/server/execute.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75249, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3a5561860d7d29a482296bf2af1d846b439de16a41fd4406812eafd5dd0c835e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/cursor-local/src/server/execute.ts", "duplicate_line": 6, "correlation_key": "fp|3a5561860d7d29a482296bf2af1d846b439de16a41fd4406812eafd5dd0c835e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/gemini-local/src/server/execute.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75248, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e806ce078493799999a8034c89f827cec6b7e11752b9e500209993c5908ae0b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/claude-local/src/ui/parse-stdout.ts", "duplicate_line": 8, "correlation_key": "fp|4e806ce078493799999a8034c89f827cec6b7e11752b9e500209993c5908ae0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/gemini-local/src/cli/format-event.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75247, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b0d4d959d03aa2cbc104bdae3630087efc72deead909d5cbea96a7fa996c1837", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/cursor-local/src/cli/format-event.ts", "duplicate_line": 3, "correlation_key": "fp|b0d4d959d03aa2cbc104bdae3630087efc72deead909d5cbea96a7fa996c1837"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/gemini-local/src/cli/format-event.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75246, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f1c46c7e46a1649f02c3f699b92e1d7972fe305ddab254a8221b2035ae14e09", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/cursor-local/src/cli/format-event.ts", "duplicate_line": 3, "correlation_key": "fp|4f1c46c7e46a1649f02c3f699b92e1d7972fe305ddab254a8221b2035ae14e09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/ui/parse-stdout.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75245, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b888bdb39cfb50211b755e1636fea40092801977560835315443a45541eaa451", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/codex-local/src/ui/parse-stdout.ts", "duplicate_line": 2, "correlation_key": "fp|b888bdb39cfb50211b755e1636fea40092801977560835315443a45541eaa451"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/ui/parse-stdout.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75244, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2efb6d89c9c54d185df7f73729e101cc17057356b43f0d5c260d3123c12f1279", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/acpx-local/src/ui/build-config.ts", "duplicate_line": 10, "correlation_key": "fp|2efb6d89c9c54d185df7f73729e101cc17057356b43f0d5c260d3123c12f1279"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/ui/build-config.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75243, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c376d4fe05aea3e37eba31e37a30cb19d3279cf1fbe0ca4a0cf5d0076cf1db2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/claude-local/src/server/test.ts", "duplicate_line": 10, "correlation_key": "fp|c376d4fe05aea3e37eba31e37a30cb19d3279cf1fbe0ca4a0cf5d0076cf1db2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/server/test.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75242, "scanner": "repobility-ai-code-hygiene", "fingerprint": "76cd525126bf8fbc5667213691496fd8e637544a4505d32f6524136dda20abcd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/codex-local/src/server/index.ts", "duplicate_line": 25, "correlation_key": "fp|76cd525126bf8fbc5667213691496fd8e637544a4505d32f6524136dda20abcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/server/index.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75241, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89f86098c40103256d634cf89a41542feb88d85b06515e1156a10eab4639aa2c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/codex-local/src/server/execute.ts", "duplicate_line": 68, "correlation_key": "fp|89f86098c40103256d634cf89a41542feb88d85b06515e1156a10eab4639aa2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/server/execute.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75240, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd08fbcb13aa56237ff94cc3a9122910568577a806e3aa3ed32483178c31c59d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/codex-local/src/ui/parse-stdout.ts", "duplicate_line": 2, "correlation_key": "fp|bd08fbcb13aa56237ff94cc3a9122910568577a806e3aa3ed32483178c31c59d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-cloud/src/ui/parse-stdout.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75239, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ce5efc4d9a44914308139caf00836ba4712557a987f32c96f1c97999fd4f480", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/acpx-local/src/ui/build-config.ts", "duplicate_line": 16, "correlation_key": "fp|3ce5efc4d9a44914308139caf00836ba4712557a987f32c96f1c97999fd4f480"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-cloud/src/ui/build-config.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75238, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48c93724ded94b1b4599a6f4eca697ebc566fc5edb565ac665f258a302ac2002", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/cursor-cloud/src/server/execute.ts", "duplicate_line": 49, "correlation_key": "fp|48c93724ded94b1b4599a6f4eca697ebc566fc5edb565ac665f258a302ac2002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-cloud/src/server/test.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75237, "scanner": "repobility-ai-code-hygiene", "fingerprint": "439d96ee916c5a63ce0f9356bb2fe658095ba896d36e9a68777519ef31ac4cd1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/claude-local/src/ui/parse-stdout.ts", "duplicate_line": 8, "correlation_key": "fp|439d96ee916c5a63ce0f9356bb2fe658095ba896d36e9a68777519ef31ac4cd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/ui/parse-stdout.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75236, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9302121c10e8febb45a6ef6e2b087e53555f0700f3ad88f857ac57b5dcdcc79d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/codex-local/src/cli/format-event.ts", "duplicate_line": 2, "correlation_key": "fp|9302121c10e8febb45a6ef6e2b087e53555f0700f3ad88f857ac57b5dcdcc79d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/ui/parse-stdout.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75235, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e700ba7aae185bdd0bc9a16920c140de573ea06c55bddd67621a2392b74147df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/acpx-local/src/ui/build-config.ts", "duplicate_line": 9, "correlation_key": "fp|e700ba7aae185bdd0bc9a16920c140de573ea06c55bddd67621a2392b74147df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/ui/build-config.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75234, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84dc47c657f7f3a8dd7a40b29a585f78045fe4cdb0a12a1aa42ed55489fa3016", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/claude-local/src/server/test.ts", "duplicate_line": 27, "correlation_key": "fp|84dc47c657f7f3a8dd7a40b29a585f78045fe4cdb0a12a1aa42ed55489fa3016"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/server/test.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75233, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf98cf4a98a2b2754f902056e01e6b04e749ea477b5ee50a5f96fed037740d63", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/acpx-local/src/server/skills.ts", "duplicate_line": 1, "correlation_key": "fp|bf98cf4a98a2b2754f902056e01e6b04e749ea477b5ee50a5f96fed037740d63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/server/skills.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75232, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60fa7a0358683bfee052d10a828d7c7e2a352d74f52de758554d211a138ffb4e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/claude-local/src/server/parse.ts", "duplicate_line": 182, "correlation_key": "fp|60fa7a0358683bfee052d10a828d7c7e2a352d74f52de758554d211a138ffb4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/server/parse.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75231, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f400736fb8c7da3288a43c44f70abcc9823b378c9e4343387d9a3e9fbac60538", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/claude-local/src/server/index.ts", "duplicate_line": 22, "correlation_key": "fp|f400736fb8c7da3288a43c44f70abcc9823b378c9e4343387d9a3e9fbac60538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/server/index.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75230, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df81085057c9a65629dbd0fea0e13e27a1e128186b8283410339070e8316847b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/claude-local/src/ui/parse-stdout.ts", "duplicate_line": 8, "correlation_key": "fp|df81085057c9a65629dbd0fea0e13e27a1e128186b8283410339070e8316847b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/cli/format-event.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75229, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b763b7ceaa077f0186ef2e399ba8e00806e5521efb5a504ecfd1e2b67373b44d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/acpx-local/src/ui/build-config.ts", "duplicate_line": 10, "correlation_key": "fp|b763b7ceaa077f0186ef2e399ba8e00806e5521efb5a504ecfd1e2b67373b44d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/ui/build-config.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75228, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e41303ad05f01453619542601827cacefe026ce34e7cbb7e680995c2e058a16e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/heartbeat-run.ts", "duplicate_line": 38, "correlation_key": "fp|e41303ad05f01453619542601827cacefe026ce34e7cbb7e680995c2e058a16e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/cli/format-event.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75227, "scanner": "repobility-ai-code-hygiene", "fingerprint": "313b9b404df354e121768055a1d7be56dc5908c28f37bf9895c7de48c799b723", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapters/acpx-local/src/cli/format-event.ts", "duplicate_line": 2, "correlation_key": "fp|313b9b404df354e121768055a1d7be56dc5908c28f37bf9895c7de48c799b723"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/acpx-local/src/ui/parse-stdout.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75226, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e9fada88171af7e4a98d136bbecf269ea8048396491a76f0d7ead44ddf3ed31a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/adapter-utils/src/remote-managed-runtime.ts", "duplicate_line": 17, "correlation_key": "fp|e9fada88171af7e4a98d136bbecf269ea8048396491a76f0d7ead44ddf3ed31a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-utils/src/sandbox-managed-runtime.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75225, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16d8a07c4a122d32d1ff6cbc4ef2d791f31a8957df1d889183b259b37350052f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/client/cost.ts", "duplicate_line": 3, "correlation_key": "fp|16d8a07c4a122d32d1ff6cbc4ef2d791f31a8957df1d889183b259b37350052f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/client/workspace.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75224, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b71b122715aa902723898b5b88af2cb971344d04c4e1d839802d0cfaac1704dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/client/access.ts", "duplicate_line": 1, "correlation_key": "fp|b71b122715aa902723898b5b88af2cb971344d04c4e1d839802d0cfaac1704dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/client/workspace.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75223, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d132e3a4ba54d0232c0bcc87aaa87e4dffadb5b0c59e8a602283596a01bbd16", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/client/access.ts", "duplicate_line": 1, "correlation_key": "fp|8d132e3a4ba54d0232c0bcc87aaa87e4dffadb5b0c59e8a602283596a01bbd16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/client/cost.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75222, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b1805fd6198a11d3b083ebc2e9c426b778aa91d83da5de53f7c828d2f49470c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/client/activity.ts", "duplicate_line": 39, "correlation_key": "fp|9b1805fd6198a11d3b083ebc2e9c426b778aa91d83da5de53f7c828d2f49470c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/client/approval.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 75221, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf2354a37dec33d5850a96d7bf4153e5683aa841c60ffb9bb5bf5e3532a26466", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cli/src/commands/client/activity.ts", "duplicate_line": 39, "correlation_key": "fp|cf2354a37dec33d5850a96d7bf4153e5683aa841c60ffb9bb5bf5e3532a26466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/client/agent.ts"}, "region": {"startLine": 264}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 75220, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2c7e16104aa76c1da0dc83021052ea791a398566b043cf39b0c21dd0c31f148d", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|2c7e16104aa76c1da0dc83021052ea791a398566b043cf39b0c21dd0c31f148d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/db-backup.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 75218, "scanner": "repobility-threat-engine", "fingerprint": "e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "aggregated_count": 1}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 75217, "scanner": "repobility-threat-engine", "fingerprint": "3a958d60b4492be8fd40eacf52d93d340f4c5f1f4627609c528d7cee0802c0a9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a958d60b4492be8fd40eacf52d93d340f4c5f1f4627609c528d7cee0802c0a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/PageSkeleton.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 75216, "scanner": "repobility-threat-engine", "fingerprint": "749e87e50c9f33347b4429d2628ff274e27c0311fabd09a83a4bba86c741f585", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|749e87e50c9f33347b4429d2628ff274e27c0311fabd09a83a4bba86c741f585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/EnvVarEditor.tsx"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 75215, "scanner": "repobility-threat-engine", "fingerprint": "2f6c0fb7e49c44457e95d82a8c40358cf83179639b6bc86944e47ff4a50fb06b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2f6c0fb7e49c44457e95d82a8c40358cf83179639b6bc86944e47ff4a50fb06b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/components/BreadcrumbBar.tsx"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 75209, "scanner": "repobility-threat-engine", "fingerprint": "f7514ccf534cc5113658f2b5f06d1371c7005d5fc5ef9f259f1bd6011b87cfbf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f7514ccf534cc5113658f2b5f06d1371c7005d5fc5ef9f259f1bd6011b87cfbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/finance.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 75208, "scanner": "repobility-threat-engine", "fingerprint": "6fa2e9ef1c1856e1ba7ae153052023beba4be6def90f2e547c9aea7606eafe65", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6fa2e9ef1c1856e1ba7ae153052023beba4be6def90f2e547c9aea7606eafe65"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 75204, "scanner": "repobility-threat-engine", "fingerprint": "729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "aggregated_count": 1}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 75203, "scanner": "repobility-threat-engine", "fingerprint": "7869821f6cafb143bef16e48714f59d3061775c71090ad2083f2fc1a1aec6d82", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7869821f6cafb143bef16e48714f59d3061775c71090ad2083f2fc1a1aec6d82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/services/plugin-config-validator.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 75202, "scanner": "repobility-threat-engine", "fingerprint": "7b6996a114e29fd94f905e6a0dc00293ab9b8da9fbe237ab3e1be1eea51cbe26", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7b6996a114e29fd94f905e6a0dc00293ab9b8da9fbe237ab3e1be1eea51cbe26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/middleware/logger.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 75201, "scanner": "repobility-threat-engine", "fingerprint": "cf2dfe48384d761c6c237793e166149a17e907a77e6768780011e9ac36d102a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cf2dfe48384d761c6c237793e166149a17e907a77e6768780011e9ac36d102a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/middleware/error-handler.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 75195, "scanner": "repobility-threat-engine", "fingerprint": "fba2bddb16b4fb3945109c63b0797163fc83af5804267937cc842add7498ab16", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|19|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugins/sandbox-providers/cloudflare/bridge-template/src/helpers.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 75194, "scanner": "repobility-threat-engine", "fingerprint": "f0f1912fabc03e8b42b281439b24cb65b4b95c00e24de98dbc05ebdccb4b8c1d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f0f1912fabc03e8b42b281439b24cb65b4b95c00e24de98dbc05ebdccb4b8c1d"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 75190, "scanner": "repobility-threat-engine", "fingerprint": "9a38e81725d4cd7d3858c2dca40b30fff35130f2f83e2579933f8cbdf2284cba", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9a38e81725d4cd7d3858c2dca40b30fff35130f2f83e2579933f8cbdf2284cba"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 75185, "scanner": "repobility-threat-engine", "fingerprint": "79beb8c79c8fe2afad3d97b1aaa69b9e44070a54ac39178f92cc366b51132c53", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|79beb8c79c8fe2afad3d97b1aaa69b9e44070a54ac39178f92cc366b51132c53"}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 75181, "scanner": "repobility-threat-engine", "fingerprint": "6a18ab7a9e98c274da2376be7d4db90ac5c0793ef3977493da2ca34a4a66e837", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6a18ab7a9e98c274da2376be7d4db90ac5c0793ef3977493da2ca34a4a66e837", "aggregated_count": 5}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 75180, "scanner": "repobility-threat-engine", "fingerprint": "2c8fb39c9eeee7e44fea80438273692f17a13e8e0cda1e788e4345732a10f2dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2c8fb39c9eeee7e44fea80438273692f17a13e8e0cda1e788e4345732a10f2dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/cli/format-event.ts"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 75179, "scanner": "repobility-threat-engine", "fingerprint": "28347ab05afe5a107d8b73f881b2bf878c938a54262f267563f29f35b83ec23a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|28347ab05afe5a107d8b73f881b2bf878c938a54262f267563f29f35b83ec23a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/cli/quota-probe.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 75178, "scanner": "repobility-threat-engine", "fingerprint": "065be789afb4276b67dea2cb899a96276714b89c8608f2463ebcc4c0d2e78f49", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|065be789afb4276b67dea2cb899a96276714b89c8608f2463ebcc4c0d2e78f49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/cli/format-event.ts"}, "region": {"startLine": 128}}}]}, {"ruleId": "SEC114", "level": "none", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 75177, "scanner": "repobility-threat-engine", "fingerprint": "24f4624d0de920ee81a058388763b66a99b20d4d0144f10b5e9e0d4729fc87e4", "category": "path_traversal", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|24f4624d0de920ee81a058388763b66a99b20d4d0144f10b5e9e0d4729fc87e4"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 75173, "scanner": "repobility-threat-engine", "fingerprint": "a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a1bb6273fbdc514ec53143946386dbdf16802c8fad0fe59f75dea80ba84c286d"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 75169, "scanner": "repobility-threat-engine", "fingerprint": "cab71e3e0d858a3b16cef86155b5a70720336ed5d7b2fcc3b519bb449894bd76", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|cab71e3e0d858a3b16cef86155b5a70720336ed5d7b2fcc3b519bb449894bd76"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 75165, "scanner": "repobility-threat-engine", "fingerprint": "2454a821dca7e8b7eee4ad624534d3bf4f2d3ba2c05a9af5a0018158e97617f7", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2454a821dca7e8b7eee4ad624534d3bf4f2d3ba2c05a9af5a0018158e97617f7"}}}, {"ruleId": "MINED013", "level": "none", "message": {"text": "[MINED013] Password In Url (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 75161, "scanner": "repobility-threat-engine", "fingerprint": "9bfd6566c4950b71629bfffc8cced8a852e5eee4396aeb5cfc18b5fd8d58f73f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9bfd6566c4950b71629bfffc8cced8a852e5eee4396aeb5cfc18b5fd8d58f73f", "aggregated_count": 5}}}, {"ruleId": "SEC022", "level": "none", "message": {"text": "[SEC022] Database URL With Embedded Credential (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 75157, "scanner": "repobility-threat-engine", "fingerprint": "c8425e6700c1d95b6cacded725fe72b4c455d9fb2a0cddfeb2a6f7d806b30c0b", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c8425e6700c1d95b6cacded725fe72b4c455d9fb2a0cddfeb2a6f7d806b30c0b"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 75153, "scanner": "repobility-threat-engine", "fingerprint": "6ca3af492f7e6c1db301ad52802c2d4a47c0eeb5e4b8c82b99531327b37204e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6ca3af492f7e6c1db301ad52802c2d4a47c0eeb5e4b8c82b99531327b37204e9", "aggregated_count": 9}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 75152, "scanner": "repobility-threat-engine", "fingerprint": "3181a825735f42133f3623a46253408f6be36b3069a0f45c054535f96b15f4d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3181a825735f42133f3623a46253408f6be36b3069a0f45c054535f96b15f4d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/prompts/server.ts"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 75151, "scanner": "repobility-threat-engine", "fingerprint": "ddd7d2bed143960aa39e9dfef4e2e3b2080a860a326b61a9007c0177bd9ce1ff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ddd7d2bed143960aa39e9dfef4e2e3b2080a860a326b61a9007c0177bd9ce1ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/config/hostnames.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 75150, "scanner": "repobility-threat-engine", "fingerprint": "869285c656f15947d5c3976b9bd80477d9cc00430cb40f719c0196830556d561", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|869285c656f15947d5c3976b9bd80477d9cc00430cb40f719c0196830556d561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/client/common.ts"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 52 more): Same pattern found in 52 additional files. Review if needed."}, "properties": {"repobilityId": 75149, "scanner": "repobility-threat-engine", "fingerprint": "321342f2e9902eedd7b86f8a5f0e186508d665dec5306772f752809beb735ab6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 52 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|321342f2e9902eedd7b86f8a5f0e186508d665dec5306772f752809beb735ab6", "aggregated_count": 52}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 75148, "scanner": "repobility-threat-engine", "fingerprint": "62b3fcf2ffab7ee2d749f5bf1ffffc9e341aebe85eeb5154c834cf899f79678f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62b3fcf2ffab7ee2d749f5bf1ffffc9e341aebe85eeb5154c834cf899f79678f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/client/common.ts"}, "region": {"startLine": 214}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 75147, "scanner": "repobility-threat-engine", "fingerprint": "2864bc7d24dd0b107a59a3a4dffb0a5d8e9f3d8d8f41080de0b18874a6b74abd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2864bc7d24dd0b107a59a3a4dffb0a5d8e9f3d8d8f41080de0b18874a6b74abd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/allowed-hostname.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 75146, "scanner": "repobility-threat-engine", "fingerprint": "5d7e23cd6744d90597d85aa90d57547f284a789f0b6dd8a0042496588c37ff3a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d7e23cd6744d90597d85aa90d57547f284a789f0b6dd8a0042496588c37ff3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/checks/secrets-check.ts"}, "region": {"startLine": 204}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "properties": {"repobilityId": 75145, "scanner": "repobility-threat-engine", "fingerprint": "b13b0a7a8bb74ca2d81dc12323eb1c7f6b3a9681090a54be187e59a2c3e9f7e3", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b13b0a7a8bb74ca2d81dc12323eb1c7f6b3a9681090a54be187e59a2c3e9f7e3"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 75141, "scanner": "repobility-threat-engine", "fingerprint": "260684795bf2afdc86f315902c265bf0ecbdf41aa73697ff08b95a7d16b6d065", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|260684795bf2afdc86f315902c265bf0ecbdf41aa73697ff08b95a7d16b6d065"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 73 more): Same pattern found in 73 additional files. Review if needed."}, "properties": {"repobilityId": 75137, "scanner": "repobility-threat-engine", "fingerprint": "1eb5df8444fd1dac5c7227d8d2334411cb269e0e92260a9a14add4314c712897", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 73 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|1eb5df8444fd1dac5c7227d8d2334411cb269e0e92260a9a14add4314c712897", "aggregated_count": 73}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 75136, "scanner": "repobility-threat-engine", "fingerprint": "882f260fc186096d1df0487ab08a611729c281f1e4b2e401dd46f7c5e22b7da0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|882f260fc186096d1df0487ab08a611729c281f1e4b2e401dd46f7c5e22b7da0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check-pr-lockfile.mjs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 75135, "scanner": "repobility-threat-engine", "fingerprint": "c951bc2863e1af99bf2b2e7fe47f984fa80471efdfa9953d5235255fe79c4c80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c951bc2863e1af99bf2b2e7fe47f984fa80471efdfa9953d5235255fe79c4c80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check-pr-linked-issue.mjs"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 75134, "scanner": "repobility-threat-engine", "fingerprint": "79b432b9a2b8125697ce3690441f5f96ffcd51814b9f5f8ac22d3a0845cd3811", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79b432b9a2b8125697ce3690441f5f96ffcd51814b9f5f8ac22d3a0845cd3811"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check-pr-dependencies.mjs"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75334, "scanner": "repobility-supply-chain", "fingerprint": "302e8a1ad40187c375fc446a406502a8e01ba2d6b5148287d7a2893fa24a7cdd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|302e8a1ad40187c375fc446a406502a8e01ba2d6b5148287d7a2893fa24a7cdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 276}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75333, "scanner": "repobility-supply-chain", "fingerprint": "5c039bab34c1ab757285a45c4d91c58cdbcbb518ce65369d96ab80e257c2763b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c039bab34c1ab757285a45c4d91c58cdbcbb518ce65369d96ab80e257c2763b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75332, "scanner": "repobility-supply-chain", "fingerprint": "426ac613a7b513d4b1b098179f0d035047e2e08179bb1bfc3290b21cd3581a6f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|426ac613a7b513d4b1b098179f0d035047e2e08179bb1bfc3290b21cd3581a6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 268}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75331, "scanner": "repobility-supply-chain", "fingerprint": "8a51049ccde763623f9d49887aeecedd14b49ea0cb14687346b6b1b0661efdd4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a51049ccde763623f9d49887aeecedd14b49ea0cb14687346b6b1b0661efdd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75330, "scanner": "repobility-supply-chain", "fingerprint": "fcbb00f63f80a6978c83d0cff64b4af576de3dce102d25d3a7fe60ee131432ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fcbb00f63f80a6978c83d0cff64b4af576de3dce102d25d3a7fe60ee131432ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75329, "scanner": "repobility-supply-chain", "fingerprint": "be424dcbc557b780218e0f4083575d0e4814b27f25821678270ac1d2f058747e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be424dcbc557b780218e0f4083575d0e4814b27f25821678270ac1d2f058747e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75328, "scanner": "repobility-supply-chain", "fingerprint": "b67006b41270f0bf5241db3d2d9b87eee89b1b1cbb1f78dba88ad0611197defe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b67006b41270f0bf5241db3d2d9b87eee89b1b1cbb1f78dba88ad0611197defe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75327, "scanner": "repobility-supply-chain", "fingerprint": "113d3a1a9e509a1ad9ac9fd7b42726694558f18b4b9c418b9ad789d885f6fc0e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|113d3a1a9e509a1ad9ac9fd7b42726694558f18b4b9c418b9ad789d885f6fc0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75326, "scanner": "repobility-supply-chain", "fingerprint": "ef2bd2a6c26840cab73fa2200ab02580310908a76956a680d9bbeef9635e1a5a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ef2bd2a6c26840cab73fa2200ab02580310908a76956a680d9bbeef9635e1a5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75325, "scanner": "repobility-supply-chain", "fingerprint": "1df650864ec77078ad8ead2c29d46c957c9a99701d2f6d069310ea0e44bc91ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1df650864ec77078ad8ead2c29d46c957c9a99701d2f6d069310ea0e44bc91ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75324, "scanner": "repobility-supply-chain", "fingerprint": "64c62a42c2a08332e7285d72dcddcc6acdc45bfd6fe4163a181389d00222b20a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64c62a42c2a08332e7285d72dcddcc6acdc45bfd6fe4163a181389d00222b20a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75323, "scanner": "repobility-supply-chain", "fingerprint": "b8421c3341cb264d6088ad8f3626d1f0f853773c5eb5db3785823af4fd5701da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8421c3341cb264d6088ad8f3626d1f0f853773c5eb5db3785823af4fd5701da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75322, "scanner": "repobility-supply-chain", "fingerprint": "bbcc956e09b5f17452e286ff5f23c3e6035be46cc5f2c61c43b730b58185a559", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bbcc956e09b5f17452e286ff5f23c3e6035be46cc5f2c61c43b730b58185a559"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75321, "scanner": "repobility-supply-chain", "fingerprint": "c9564aa9bff26f354fac9a1f39fa2b5421db95aa2e7201b3869c616532100819", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9564aa9bff26f354fac9a1f39fa2b5421db95aa2e7201b3869c616532100819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75320, "scanner": "repobility-supply-chain", "fingerprint": "9238220da3078a62928915d3844f25f81e0d5ad7ecaadc7a9bfd90bd725cfd55", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9238220da3078a62928915d3844f25f81e0d5ad7ecaadc7a9bfd90bd725cfd55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75319, "scanner": "repobility-supply-chain", "fingerprint": "1b54381e36ffd3c01e8add1b1efd6b3940aec87a360d776e70d9c2ca2050baa1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b54381e36ffd3c01e8add1b1efd6b3940aec87a360d776e70d9c2ca2050baa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75318, "scanner": "repobility-supply-chain", "fingerprint": "8000ee17e7e5b452128dbba11a2ca5f014b289d4741e0eb0968c8f312af4425b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8000ee17e7e5b452128dbba11a2ca5f014b289d4741e0eb0968c8f312af4425b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75317, "scanner": "repobility-supply-chain", "fingerprint": "16e856879672ceaa69ca9253b34baee727043347c8afdb79422db49fd9920069", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16e856879672ceaa69ca9253b34baee727043347c8afdb79422db49fd9920069"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75316, "scanner": "repobility-supply-chain", "fingerprint": "660155d79ca88222ae29d0349d2c85ca03af44c6885e9e9eeaf006704cf6bf52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|660155d79ca88222ae29d0349d2c85ca03af44c6885e9e9eeaf006704cf6bf52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75315, "scanner": "repobility-supply-chain", "fingerprint": "c4f8763c1a85562d9bd5109723a8273e221743fccdf06f0465495a245b5a2789", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4f8763c1a85562d9bd5109723a8273e221743fccdf06f0465495a245b5a2789"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75314, "scanner": "repobility-supply-chain", "fingerprint": "7047f25146f6f6e7fa9476c4322d6fe06a4224cd8cc032bf1f5619fbefebf8ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7047f25146f6f6e7fa9476c4322d6fe06a4224cd8cc032bf1f5619fbefebf8ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75313, "scanner": "repobility-supply-chain", "fingerprint": "80b221c4c909c15e212c2d6395c17ea58060074ed09311cfe1a29e1507a8ce7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80b221c4c909c15e212c2d6395c17ea58060074ed09311cfe1a29e1507a8ce7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75312, "scanner": "repobility-supply-chain", "fingerprint": "8f1f359d3590e5a01930cee5620b9df8e1966deca1f1abd0f9509ea6b09662d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f1f359d3590e5a01930cee5620b9df8e1966deca1f1abd0f9509ea6b09662d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-lockfile.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75311, "scanner": "repobility-supply-chain", "fingerprint": "b9d42a8c6f70a3680acf7dc48520a08b097290dd8e2140fc5c0a5ecba2095f69", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b9d42a8c6f70a3680acf7dc48520a08b097290dd8e2140fc5c0a5ecba2095f69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-lockfile.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75310, "scanner": "repobility-supply-chain", "fingerprint": "8d99b71163fcd0051df7c7cccc5fd9c5ce857f8c9678439b0d7ab8253dfe5378", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8d99b71163fcd0051df7c7cccc5fd9c5ce857f8c9678439b0d7ab8253dfe5378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/refresh-lockfile.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.io/cloudflare/sandbox:0.7.0` not pinned by digest: `FROM docker.io/cloudflare/sandbox:0.7.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 75309, "scanner": "repobility-supply-chain", "fingerprint": "ee185942e83a2cb48af8b740e03e3fe998ee9b8231b578365ef9a84aff9a6ed2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee185942e83a2cb48af8b740e03e3fe998ee9b8231b578365ef9a84aff9a6ed2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugins/sandbox-providers/cloudflare/bridge-template/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:lts-trixie-slim` not pinned by digest: `FROM node:lts-trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 75308, "scanner": "repobility-supply-chain", "fingerprint": "471148670083cff899abdce47b819e4409f1f72762da2109bce26c627922947d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|471148670083cff899abdce47b819e4409f1f72762da2109bce26c627922947d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/untrusted-review/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 75307, "scanner": "repobility-supply-chain", "fingerprint": "959a613a6965f1b1b9e42de3719a6dde0a547ec18fdced8a633d01ee32836289", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|959a613a6965f1b1b9e42de3719a6dde0a547ec18fdced8a633d01ee32836289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/openclaw-smoke/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 75306, "scanner": "repobility-supply-chain", "fingerprint": "1eb0193a6d6943ff5d2c8b7bd650a91d10893240190af55602e0ec2f1ea33105", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1eb0193a6d6943ff5d2c8b7bd650a91d10893240190af55602e0ec2f1ea33105"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.onboard-smoke"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:lts-trixie-slim` not pinned by digest: `FROM node:lts-trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 75305, "scanner": "repobility-supply-chain", "fingerprint": "94bd8c07ab5a25461b5b2ea10aa0220a1d1fc7df4cee310781912d4799304f4a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94bd8c07ab5a25461b5b2ea10aa0220a1d1fc7df4cee310781912d4799304f4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /routine-triggers/public/:publicId/fire has no auth: Express route POST /routine-triggers/public/:publicId/fire declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75301, "scanner": "repobility-route-auth", "fingerprint": "a286818626c0a37bcb28ddc501cf9a35aa49faaaa001fd9dd4906193f04c9a44", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a286818626c0a37bcb28ddc501cf9a35aa49faaaa001fd9dd4906193f04c9a44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/routines.ts"}, "region": {"startLine": 440}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /routines/:id/run has no auth: Express route POST /routines/:id/run declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75300, "scanner": "repobility-route-auth", "fingerprint": "2399ccf2ec2ea8af314dea5481c321d5622de54763730e010341fbed968aae31", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2399ccf2ec2ea8af314dea5481c321d5622de54763730e010341fbed968aae31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/routines.ts"}, "region": {"startLine": 414}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /routine-triggers/:id/rotate-secret has no auth: Express route POST /routine-triggers/:id/rotate-secret declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75299, "scanner": "repobility-route-auth", "fingerprint": "1e072eb1f625e7d32235600e904fb1960a48159f3db57b561a6e32d4ec4d83f8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1e072eb1f625e7d32235600e904fb1960a48159f3db57b561a6e32d4ec4d83f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/routines.ts"}, "region": {"startLine": 371}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /routine-triggers/:id has no auth: Express route DELETE /routine-triggers/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75298, "scanner": "repobility-route-auth", "fingerprint": "4a4992bf3752cb0397a430485473b08ba56bf2033108c3ad95710812aea51c08", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4a4992bf3752cb0397a430485473b08ba56bf2033108c3ad95710812aea51c08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/routines.ts"}, "region": {"startLine": 330}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /routine-triggers/:id has no auth: Express route PATCH /routine-triggers/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75297, "scanner": "repobility-route-auth", "fingerprint": "6c69893323d78cdfd65d71c01de9300d38811941f0293dcf87de4b82a28b7d47", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6c69893323d78cdfd65d71c01de9300d38811941f0293dcf87de4b82a28b7d47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/routines.ts"}, "region": {"startLine": 288}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /routines/:id/triggers has no auth: Express route POST /routines/:id/triggers declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75296, "scanner": "repobility-route-auth", "fingerprint": "0cc7aad5f581dd5b9d8e8e68bb12e816d02d0f1d5e1777f35a8194427a8db724", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|0cc7aad5f581dd5b9d8e8e68bb12e816d02d0f1d5e1777f35a8194427a8db724"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/routines.ts"}, "region": {"startLine": 253}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /routines/:id/revisions/:revisionId/restore has no auth: Express route POST /routines/:id/revisions/:revisionId/restore declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75295, "scanner": "repobility-route-auth", "fingerprint": "82e533c99cc388e8423bd86dad9a2ccb501c257b65894cfedbec6a8295d14fe2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|82e533c99cc388e8423bd86dad9a2ccb501c257b65894cfedbec6a8295d14fe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/routines.ts"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /routines/:id has no auth: Express route PATCH /routines/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75294, "scanner": "repobility-route-auth", "fingerprint": "6f880300308ec249653626b5f89adf6ac2246b6d0abcd016e9ede1f537e0dc09", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6f880300308ec249653626b5f89adf6ac2246b6d0abcd016e9ede1f537e0dc09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/routines.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /companies/:companyId/routines has no auth: Express route POST /companies/:companyId/routines declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75293, "scanner": "repobility-route-auth", "fingerprint": "417d4d702926168356528e1e32f151bf7e296456eabd9c91c32af430c1614db2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|417d4d702926168356528e1e32f151bf7e296456eabd9c91c32af430c1614db2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/routines.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /companies/:companyId/environments/probe-config has no auth: Express route POST /companies/:companyId/environments/probe-config declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75292, "scanner": "repobility-route-auth", "fingerprint": "e646e284354aaafdd898d781b0873a12e762f0225a8ddc757fe20960b0c1fa33", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e646e284354aaafdd898d781b0873a12e762f0225a8ddc757fe20960b0c1fa33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/environments.ts"}, "region": {"startLine": 428}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /environments/:id/probe has no auth: Express route POST /environments/:id/probe declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75291, "scanner": "repobility-route-auth", "fingerprint": "55333c69be7d2efab84e82169e6a8b188945f4583da14d45f0ae197985865c4b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|55333c69be7d2efab84e82169e6a8b188945f4583da14d45f0ae197985865c4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/environments.ts"}, "region": {"startLine": 399}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /environments/:id has no auth: Express route DELETE /environments/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75290, "scanner": "repobility-route-auth", "fingerprint": "72498b78be64a54c661c27998afc797314009703141538f05dd0abf137abe9e9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|72498b78be64a54c661c27998afc797314009703141538f05dd0abf137abe9e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/environments.ts"}, "region": {"startLine": 359}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /environments/:id has no auth: Express route PATCH /environments/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75289, "scanner": "repobility-route-auth", "fingerprint": "1b21ca33f7d1178dd22a977080eaecc54c13faa85ebe9a930c9a581b51610f16", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|1b21ca33f7d1178dd22a977080eaecc54c13faa85ebe9a930c9a581b51610f16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/environments.ts"}, "region": {"startLine": 292}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /companies/:companyId/environments has no auth: Express route POST /companies/:companyId/environments declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75288, "scanner": "repobility-route-auth", "fingerprint": "8b529052b3654dd0994ed312bcd36903ccea7cf0a21aa6210fdb9e3ff5889ea8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8b529052b3654dd0994ed312bcd36903ccea7cf0a21aa6210fdb9e3ff5889ea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/environments.ts"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /dev-server/restart has no auth: Express route POST /dev-server/restart declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75287, "scanner": "repobility-route-auth", "fingerprint": "02c18c12db85f71c3ea847a93537a77c4dd62511cc6ab4508c7d1c4bc9320627", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|02c18c12db85f71c3ea847a93537a77c4dd62511cc6ab4508c7d1c4bc9320627"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/health.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /adapters/:type/reinstall has no auth: Express route POST /adapters/:type/reinstall declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75286, "scanner": "repobility-route-auth", "fingerprint": "934ca567f5e58e3a0fc929d252bad88e5f6f71f1c49e36609bb3950df480ea43", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|934ca567f5e58e3a0fc929d252bad88e5f6f71f1c49e36609bb3950df480ea43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/adapters.ts"}, "region": {"startLine": 566}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /adapters/:type/reload has no auth: Express route POST /adapters/:type/reload declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75285, "scanner": "repobility-route-auth", "fingerprint": "a19d0280bf2c23beb1b770e9cdc78ad3f459e13e1221441e2b80e2de7344eba7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a19d0280bf2c23beb1b770e9cdc78ad3f459e13e1221441e2b80e2de7344eba7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/adapters.ts"}, "region": {"startLine": 514}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /adapters/:type has no auth: Express route DELETE /adapters/:type declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75284, "scanner": "repobility-route-auth", "fingerprint": "d208f8a68bd1100732881ba7fbfe91450e7cea35d0138d867c9d94f6741180b9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d208f8a68bd1100732881ba7fbfe91450e7cea35d0138d867c9d94f6741180b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/adapters.ts"}, "region": {"startLine": 439}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /adapters/:type/override has no auth: Express route PATCH /adapters/:type/override declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75283, "scanner": "repobility-route-auth", "fingerprint": "3cecd789d43f8634471f7c2664bbedd93d29878ffc78c8c1b0b8955f6ba61f6c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3cecd789d43f8634471f7c2664bbedd93d29878ffc78c8c1b0b8955f6ba61f6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/adapters.ts"}, "region": {"startLine": 411}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /adapters/:type has no auth: Express route PATCH /adapters/:type declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75282, "scanner": "repobility-route-auth", "fingerprint": "abf63f8163f0a48b8f337e97bfad4d5f08e3fa3d4d4dc9d6c3a77a319870a5a8", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|abf63f8163f0a48b8f337e97bfad4d5f08e3fa3d4d4dc9d6c3a77a319870a5a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/adapters.ts"}, "region": {"startLine": 376}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /adapters/install has no auth: Express route POST /adapters/install declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75281, "scanner": "repobility-route-auth", "fingerprint": "77982c31fd9ea47d80f04b6e4ef4104359e8dc72a6f273592061b139caa36367", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|77982c31fd9ea47d80f04b6e4ef4104359e8dc72a6f273592061b139caa36367"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/adapters.ts"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /profile has no auth: Express route PATCH /profile declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75280, "scanner": "repobility-route-auth", "fingerprint": "64d1f58ebfd56929bee187bbbcc01bd2878d0e983aa2dc378d4e6e3ce2174741", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|64d1f58ebfd56929bee187bbbcc01bd2878d0e983aa2dc378d4e6e3ce2174741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/auth.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PATCH /execution-workspaces/:id has no auth: Express route PATCH /execution-workspaces/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75279, "scanner": "repobility-route-auth", "fingerprint": "ec19b1d0021b9643494646ca4e430582793fad0e01f461792e490b361d837f0e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ec19b1d0021b9643494646ca4e430582793fad0e01f461792e490b361d837f0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/execution-workspaces.ts"}, "region": {"startLine": 442}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /execution-workspaces/:id/runtime-commands/:action has no auth: Express route POST /execution-workspaces/:id/runtime-commands/:action declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75278, "scanner": "repobility-route-auth", "fingerprint": "5f8e84680cd256ea04473978e326d5e16fa30997a658467d21f8b7878f287ee3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5f8e84680cd256ea04473978e326d5e16fa30997a658467d21f8b7878f287ee3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/execution-workspaces.ts"}, "region": {"startLine": 440}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /execution-workspaces/:id/runtime-services/:action has no auth: Express route POST /execution-workspaces/:id/runtime-services/:action declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75277, "scanner": "repobility-route-auth", "fingerprint": "07ac84aecf83f33c66df85b6da3a74a7129612b61c430356e4c09cf32e661b87", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|07ac84aecf83f33c66df85b6da3a74a7129612b61c430356e4c09cf32e661b87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/execution-workspaces.ts"}, "region": {"startLine": 439}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 75270, "scanner": "repobility-journey-contract", "fingerprint": "edff1bc7449fe56d397ba5cd59e8fa15f0a4ac280f34518abeab53f109febb87", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|741|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/pages/InviteLanding.tsx"}, "region": {"startLine": 741}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 75269, "scanner": "repobility-journey-contract", "fingerprint": "44bd9e64a1e1895cb1e2ad8e459e609225d283775331d5537f15d6db718f589e", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|ui/src/pages/auth.tsx|137|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/pages/Auth.tsx"}, "region": {"startLine": 137}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 75266, "scanner": "repobility-docker", "fingerprint": "f6422ecbe1cb37b05ac17544d38ca72fa2618a0340cd8310c16699aaad10ff25", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "5432:5432", "target": "5432", "host_ip": "", "published": "5432"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|f6422ecbe1cb37b05ac17544d38ca72fa2618a0340cd8310c16699aaad10ff25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 75213, "scanner": "repobility-threat-engine", "fingerprint": "9c4a8470637fd665ebdb2ce8fef895bb81fb1ab28d462bb5f3573697807a6256", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(CACHE_NAME).then((cache) => cache.put(request", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|ui/public/sw.js|31|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/public/sw.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 75207, "scanner": "repobility-threat-engine", "fingerprint": "29b1bf31471276300c6e68475cef0abcaaf5923532ed4115c69acadfab732e4e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.delete(\"/goals/:id\", async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29b1bf31471276300c6e68475cef0abcaaf5923532ed4115c69acadfab732e4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/goals.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 75206, "scanner": "repobility-threat-engine", "fingerprint": "6ed100544d5a85bfef233d8fb85974e6db9604275f1c81c3cccc2809e334f993", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post(\"/cloud-upstreams/connect/start\", async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6ed100544d5a85bfef233d8fb85974e6db9604275f1c81c3cccc2809e334f993"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/cloud-upstreams.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 75205, "scanner": "repobility-threat-engine", "fingerprint": "38736a5e750b34c8b6a08028796a86159e673e403eab5e83d23f2dcb1e70bfcb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post(\"/companies/:companyId/assets/images\", async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|38736a5e750b34c8b6a08028796a86159e673e403eab5e83d23f2dcb1e70bfcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/assets.ts"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 75199, "scanner": "repobility-threat-engine", "fingerprint": "a457e9f4b5a97b0c559a82a00129b55d3de65bd539a829fdd08030067db5ea13", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a457e9f4b5a97b0c559a82a00129b55d3de65bd539a829fdd08030067db5ea13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/release.sh"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 75193, "scanner": "repobility-threat-engine", "fingerprint": "9a1a7b4ed311d59f7deffd2ec05f323c5f6b4e880940e2136fd6fe9ed903b4c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(fullCommand", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a1a7b4ed311d59f7deffd2ec05f323c5f6b4e880940e2136fd6fe9ed903b4c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugins/sandbox-providers/cloudflare/bridge-template/src/exec.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 75192, "scanner": "repobility-threat-engine", "fingerprint": "12cbcb198203284781b0308929ff2715e31facfcbc83e70f009887c278ff0819", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(header", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12cbcb198203284781b0308929ff2715e31facfcbc83e70f009887c278ff0819"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/plugins/sandbox-providers/cloudflare/bridge-template/src/auth.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 75191, "scanner": "repobility-threat-engine", "fingerprint": "d824458fda845f16f8d6837bf7b3089da6a0b44bc7ae055a90a3037c32e5d2d0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d824458fda845f16f8d6837bf7b3089da6a0b44bc7ae055a90a3037c32e5d2d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/grok-local/src/server/test.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 75186, "scanner": "repobility-threat-engine", "fingerprint": "e97c8ca5b64e1500b23fc327d9785cac6736213c1553fb90eda24b9a2753efaf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e97c8ca5b64e1500b23fc327d9785cac6736213c1553fb90eda24b9a2753efaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/index.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 75176, "scanner": "repobility-threat-engine", "fingerprint": "340dc54ca6531d9a6a0cb86752b97e0d0d25fdf1ac01855ac6fd5f419e75cf7b", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(resolveXdgConfigHome(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|61|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/opencode-local/src/server/runtime-config.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 75175, "scanner": "repobility-threat-engine", "fingerprint": "1419988eec26562ad50c915d2d3bb515e6b61b5a7ddef88b4fe995d10993fae5", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input.rootDir, input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|57|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/server/claude-config.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 75174, "scanner": "repobility-threat-engine", "fingerprint": "aa459d5a7615c413fcec2b24fa62d7eb24170cf39dac35bba8c71916a5443540", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|236|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-utils/src/workspace-restore-merge.ts"}, "region": {"startLine": 236}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 75172, "scanner": "repobility-threat-engine", "fingerprint": "217f87bbd24fdfab3d7132e93f2c740fe1072b83fa5e7824d5db6fee9862794e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(PROJECT_MENTION_LINK_RE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|217f87bbd24fdfab3d7132e93f2c740fe1072b83fa5e7824d5db6fee9862794e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shared/src/project-mentions.ts"}, "region": {"startLine": 203}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 75171, "scanner": "repobility-threat-engine", "fingerprint": "05c927af3b332f2b567e39dc883172e08bcd03d9acb9c9fe711f5a7ff326a345", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(ISSUE_REFERENCE_TOKEN_RE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|05c927af3b332f2b567e39dc883172e08bcd03d9acb9c9fe711f5a7ff326a345"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shared/src/issue-references.ts"}, "region": {"startLine": 136}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 75170, "scanner": "repobility-threat-engine", "fingerprint": "e391b681b93d33004994c75de9575e393fe537816aeed45a48da0f6a3fddddef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n  String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e391b681b93d33004994c75de9575e393fe537816aeed45a48da0f6a3fddddef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapter-utils/src/command-redaction.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 75168, "scanner": "repobility-threat-engine", "fingerprint": "43428b736a837940be13a4a0f76fe41341fafe006c1ba0528dc99d72d57d5529", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hash.update(`symlink:${relativePath}\\n`);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43428b736a837940be13a4a0f76fe41341fafe006c1ba0528dc99d72d57d5529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/server/prompt-cache.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 75167, "scanner": "repobility-threat-engine", "fingerprint": "0064c871d249cc710d2723d6c5e6a5f12aea533cc2928caec58b1b765c8f8f66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hash.update(file.name);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0064c871d249cc710d2723d6c5e6a5f12aea533cc2928caec58b1b765c8f8f66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/server/claude-config.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 75166, "scanner": "repobility-threat-engine", "fingerprint": "a87c3a4baf764a2b406890c99030cf78e19407ec7142f7b3cdc4b912454fc045", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "req.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a87c3a4baf764a2b406890c99030cf78e19407ec7142f7b3cdc4b912454fc045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/openclaw-smoke/server.mjs"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 75164, "scanner": "repobility-threat-engine", "fingerprint": "a7bb03b52f657d42b52c5835b69f1e72b43212cd5c46afa9eeb7ed168884af14", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((relativeDir) =>\n                `$HOME/${relativeDir}/${basename}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a7bb03b52f657d42b52c5835b69f1e72b43212cd5c46afa9eeb7ed168884af14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/cursor-local/src/server/remote-command.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 75163, "scanner": "repobility-threat-engine", "fingerprint": "f8b7498d5e47f1835049c49648cfeb76870d16a86755333041d0aaf9b7732b01", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key}=${formatEnvValue(value)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f8b7498d5e47f1835049c49648cfeb76870d16a86755333041d0aaf9b7732b01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/config/env.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 75162, "scanner": "repobility-threat-engine", "fingerprint": "efda0b76b8f45b096d74cd695699b2116c226a4e12669b963e94a9d423a8d56f", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `export ${key}=${shellEscape(value)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|efda0b76b8f45b096d74cd695699b2116c226a4e12669b963e94a9d423a8d56f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/worktree-lib.ts"}, "region": {"startLine": 273}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 75144, "scanner": "repobility-threat-engine", "fingerprint": "4c47936d9e3af6d888a6e6e3d42cfb0bbbf6cfcef0b8b1216e292fc9c26e2a9b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4c47936d9e3af6d888a6e6e3d42cfb0bbbf6cfcef0b8b1216e292fc9c26e2a9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/client/http.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 75143, "scanner": "repobility-threat-engine", "fingerprint": "636268f78d18c0de04eb2178df51854bd549893bf1fa0b2e2623e524bbc66f6a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|636268f78d18c0de04eb2178df51854bd549893bf1fa0b2e2623e524bbc66f6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/client/board-auth.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 75142, "scanner": "repobility-threat-engine", "fingerprint": "30a1f2549e16a50265c4005ab8132592487a8ff7aaeea0bc9dbe0eed2e5e6bee", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|30a1f2549e16a50265c4005ab8132592487a8ff7aaeea0bc9dbe0eed2e5e6bee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/checks/deployment-auth-check.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 75140, "scanner": "repobility-threat-engine", "fingerprint": "c95878ead36bed5a496e5e23ab1848de1a197e6d66b00ef603c58e8418c8666f", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.error({ err, path: req.url }, \"failed websocket upgrade authorization\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|26|logger.error err path: req.url failed websocket upgrade authorization"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/realtime/live-events-ws.ts"}, "region": {"startLine": 267}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 75139, "scanner": "repobility-threat-engine", "fingerprint": "94a2b8a5c95b28b9ac184a3559bc68fb890e986774f2b9bd2370ec1f3c062fa3", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`tokenAvailable: ${token != null}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|10|console.log tokenavailable: token null"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/codex-local/src/cli/quota-probe.ts"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 75138, "scanner": "repobility-threat-engine", "fingerprint": "cc2a60633a0a37f9e0c9c6553bb823db4494e3ed1c8ff5b8b7d204793fd643cb", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`tokenAvailable: ${token != null}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|11|console.log tokenavailable: token null"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/adapters/claude-local/src/cli/quota-probe.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "[MINED114] Admin endpoint without auth: PUT /admin/users/:userId/company-access: Express route on /admin path (/admin/users/:userId/company-access) with no auth middleware."}, "properties": {"repobilityId": 75304, "scanner": "repobility-route-auth", "fingerprint": "52269c8faf562b38b16d04453d516298e8167934ddadc72387892948e9659a7b", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|52269c8faf562b38b16d04453d516298e8167934ddadc72387892948e9659a7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/access.ts"}, "region": {"startLine": 4609}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "[MINED114] Admin endpoint without auth: POST /admin/users/:userId/demote-instance-admin: Express route on /admin path (/admin/users/:userId/demote-instance-admin) with no auth middleware."}, "properties": {"repobilityId": 75303, "scanner": "repobility-route-auth", "fingerprint": "9a79dc432225029b71f8706913f392392adbfebf684f95f2c9a6493c98d1ce38", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|9a79dc432225029b71f8706913f392392adbfebf684f95f2c9a6493c98d1ce38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/access.ts"}, "region": {"startLine": 4592}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "[MINED114] Admin endpoint without auth: POST /admin/users/:userId/promote-instance-admin: Express route on /admin path (/admin/users/:userId/promote-instance-admin) with no auth middleware."}, "properties": {"repobilityId": 75302, "scanner": "repobility-route-auth", "fingerprint": "0331a724cfb1adddbda94b3bafc07ca47d69bce74cc7dbee7ff153a46b08f72a", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|0331a724cfb1adddbda94b3bafc07ca47d69bce74cc7dbee7ff153a46b08f72a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/routes/access.ts"}, "region": {"startLine": 4522}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 75265, "scanner": "repobility-docker", "fingerprint": "8361ba2ad75025e21042461bdfada9e6f1a71c98ea7ba0c4c82eecf06a038a5f", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|8361ba2ad75025e21042461bdfada9e6f1a71c98ea7ba0c4c82eecf06a038a5f", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 75214, "scanner": "repobility-threat-engine", "fingerprint": "b3568f8438f6ad1de2dfa5913c7188d5b8763d366f4c92371ebebb768ebd1c45", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b3568f8438f6ad1de2dfa5913c7188d5b8763d366f4c92371ebebb768ebd1c45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/src/adapters/sandboxed-parser-worker.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 75200, "scanner": "repobility-threat-engine", "fingerprint": "80678c5ba216793d3c64649f0e890e5bc47d367f75bc5dcc1ebec470e26a37d4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80678c5ba216793d3c64649f0e890e5bc47d367f75bc5dcc1ebec470e26a37d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/screenshot-recovery-card.cjs"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 75197, "scanner": "repobility-threat-engine", "fingerprint": "42439a82b061fc26f98851840d7316a4bf125e2216f30bca321cb3a1ca693007", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.8 bits) \u2014 likely real secret", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "High entropy value (4.8 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/docker-onboard-smoke.sh"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 75196, "scanner": "repobility-threat-engine", "fingerprint": "0b21e0c8fadf395d128281b71b3fbbfad65b7158d634e82930d5f61b1279b007", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b21e0c8fadf395d128281b71b3fbbfad65b7158d634e82930d5f61b1279b007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shared/src/routine-variables.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 75160, "scanner": "repobility-threat-engine", "fingerprint": "559656121edb61e54194dfa14973996561a864eabc9de9c24ef58b7ec387d15e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|559656121edb61e54194dfa14973996561a864eabc9de9c24ef58b7ec387d15e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/prompts/database.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 75159, "scanner": "repobility-threat-engine", "fingerprint": "dbaf92c70492d808bf0af580118873f73c4ce6ae7235b2f4acdedb3dfe323f05", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dbaf92c70492d808bf0af580118873f73c4ce6ae7235b2f4acdedb3dfe323f05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/routines.ts"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 75158, "scanner": "repobility-threat-engine", "fingerprint": "e38b64e7920a6e09152e94eb0fb39f42d99b733a90d5152500e1a115ecc3df7a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e38b64e7920a6e09152e94eb0fb39f42d99b733a90d5152500e1a115ecc3df7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/db-backup.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 75156, "scanner": "repobility-threat-engine", "fingerprint": "7c659517b08561c662cafd639b5cfc9509229dc6b40e0cff189c402cbf6ae451", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgres://paperclip:paperclip@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|docker/docker-compose.yml|2|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 75155, "scanner": "repobility-threat-engine", "fingerprint": "f75d188749f3110d0a8076067c3bd3e57aa47e24ac65df4f50d45126af3227a0", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgres://paperclip:paperclip@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|19|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/routines.ts"}, "region": {"startLine": 198}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 75154, "scanner": "repobility-threat-engine", "fingerprint": "424d14650b28429d051c9b102360b0b68ebae7710b72e6717768ab8e53df0825", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgres://paperclip:paperclip@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|3|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cli/src/commands/db-backup.ts"}, "region": {"startLine": 32}}}]}]}]}