{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `run_ninja` (list): `def run_ninja(... = []/{}/set())` \u2014 Python's default value i", "shortDescription": {"text": "[MINED109] Mutable default argument in `run_ninja` (list): `def run_ninja(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def run_ninja(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR013", "name": "Dockerfile ADD downloads remote content", "shortDescription": {"text": "Dockerfile ADD downloads remote content"}, "fullDescription": {"text": "Use curl/wget with a pinned URL, verify checksum or signature, and prefer COPY for local files."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 11 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 11."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ci-container-build-tools (no tag)` not pinned by digest: `FROM ci-container-build-tools (no ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ci-container-build-tools (no tag)` not pinned by digest: `FROM ci-container-build-tools (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pot"}, "fullDescription": {"text": "Replace with: `FROM ci-container-build-tools (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED119", "name": "[MINED119] Dockerfile `ADD https://aka.ms/vs/17/release/vs_buildtools.exe`: Dockerfile `ADD <url>` downloads a remote ar", "shortDescription": {"text": "[MINED119] Dockerfile `ADD https://aka.ms/vs/17/release/vs_buildtools.exe`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a"}, "fullDescription": {"text": "Download the file in CI with a known checksum, vendor it into the repo, and COPY it during the build. Or use `RUN curl -sSL URL | sha256sum -c <(echo '<expected> -')` to verify."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ghcr.io/llvm/ci-ubuntu-24.04:latest` unpinned: `container/services image: ", "shortDescription": {"text": "[MINED126] Workflow container/services image `ghcr.io/llvm/ci-ubuntu-24.04:latest` unpinned: `container/services image: ghcr.io/llvm/ci-ubuntu-24.04:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow cont"}, "fullDescription": {"text": "Replace with `ghcr.io/llvm/ci-ubuntu-24.04:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_bad_response_code: Test function `test_bad_response_code` runs code but contains ", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_bad_response_code: Test function `test_bad_response_code` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_report_dont_list_failures_link_to_log` o", "shortDescription": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_report_dont_list_failures_link_to_log` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback)"}, "fullDescription": {"text": "Initialize `self.assertEqual = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }` lets a "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This", "shortDescription": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import sys` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1267"}, "properties": {"repository": "llvm/llvm-project", "repoUrl": "https://github.com/llvm/llvm-project", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128734, "scanner": "repobility-ast-engine", "fingerprint": "82f1f914e7ad208f268d7db3958819d4c13b3dddb475f097dee45ac777df2410", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|82f1f914e7ad208f268d7db3958819d4c13b3dddb475f097dee45ac777df2410"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/buildbot/worker.py"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128733, "scanner": "repobility-ast-engine", "fingerprint": "da8f3fde4046e6808d88c2daed78d25f08908ce6d73e79454a831fd1eb2110c9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da8f3fde4046e6808d88c2daed78d25f08908ce6d73e79454a831fd1eb2110c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/buildbot/worker.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128732, "scanner": "repobility-ast-engine", "fingerprint": "98c1d3c50ce295a1368d471b40d8e49c00061c6e6d8786b95d46ca2799a7dbbb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|98c1d3c50ce295a1368d471b40d8e49c00061c6e6d8786b95d46ca2799a7dbbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/buildbot/worker.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128731, "scanner": "repobility-ast-engine", "fingerprint": "e61c2ea3963b15eb5ad5defe2e852d97e6210f324fbbdb8c2146089704040600", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e61c2ea3963b15eb5ad5defe2e852d97e6210f324fbbdb8c2146089704040600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/buildbot/worker.py"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 128730, "scanner": "repobility-ast-engine", "fingerprint": "b39ca3590da4738dceefa7d2a8c025a6415c44db18ae65176b6f91f7bc5bdb13", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b39ca3590da4738dceefa7d2a8c025a6415c44db18ae65176b6f91f7bc5bdb13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/buildbot/worker.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `run_ninja` (list): `def run_ninja(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 128729, "scanner": "repobility-ast-engine", "fingerprint": "abce6b1f67ca15498e6377c8c1b0a72b63167063fa2fa09f508a276f3c750460", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|abce6b1f67ca15498e6377c8c1b0a72b63167063fa2fa09f508a276f3c750460"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/buildbot/worker.py"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `run` (list): `def run(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 128728, "scanner": "repobility-ast-engine", "fingerprint": "23426d50cac9a3e24ca6b844dce69d0f84f1b4e74bf311677ab883b54ed5ca83", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|23426d50cac9a3e24ca6b844dce69d0f84f1b4e74bf311677ab883b54ed5ca83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/buildbot/worker.py"}, "region": {"startLine": 338}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `generate_report` (list): `def generate_report(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 128726, "scanner": "repobility-ast-engine", "fingerprint": "1a7f26ec6a3864d25ac34d995697e823e6ef1cae04ea27dbbe41e0b875091e8d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1a7f26ec6a3864d25ac34d995697e823e6ef1cae04ea27dbbe41e0b875091e8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128699, "scanner": "repobility-docker", "fingerprint": "cbb83d95ccfa215c439782611939461ab0f7a881a732aff18c98d0de920abdb0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2022", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|cbb83d95ccfa215c439782611939461ab0f7a881a732aff18c98d0de920abdb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-windows/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR013", "level": "warning", "message": {"text": "Dockerfile ADD downloads remote content"}, "properties": {"repobilityId": 128697, "scanner": "repobility-docker", "fingerprint": "3f3c32796ca5adcfbe5211ed9b46ef460a4abbf606c26a0bd7e36e35a1d67253", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "ADD instruction references a remote URL.", "evidence": {"rule_id": "DKR013", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3f3c32796ca5adcfbe5211ed9b46ef460a4abbf606c26a0bd7e36e35a1d67253"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-windows/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128696, "scanner": "repobility-docker", "fingerprint": "4ad02afa1e7d25662ed9ab537e21c611cabed5ed8e873237be94d9ebbf4d4377", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ci-container-build-tools", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4ad02afa1e7d25662ed9ab537e21c611cabed5ed8e873237be94d9ebbf4d4377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 104}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 128688, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 128687, "scanner": "repobility-docker", "fingerprint": "adfac0b7170427b44a8cb8e1df1b8206f75009e698535317a05b05b3b2ec2ecc", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "ci-container", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|adfac0b7170427b44a8cb8e1df1b8206f75009e698535317a05b05b3b2ec2ecc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci/Dockerfile"}, "region": {"startLine": 101}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 128683, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC005", "level": "warning", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 128681, "scanner": "repobility-threat-engine", "fingerprint": "4b374de8d8c2e3734e2d1f686ec5a6022fafd055a2c2e445c2f64403f6404723", "category": "injection", "severity": "medium", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "shell=True detected \u2014 verify command source is not user-controllable", "evidence": {"match": "subprocess.run(command, shell=True", "reason": "shell=True detected \u2014 verify command source is not user-controllable", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|. token|16|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-post-commit-analyzer-run.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128700, "scanner": "repobility-docker", "fingerprint": "c9889d3acd6c663a17af6919c5402906c20e5560a8fe710a5122bc679475084b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c9889d3acd6c663a17af6919c5402906c20e5560a8fe710a5122bc679475084b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/libc/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 128698, "scanner": "repobility-docker", "fingerprint": "3f2f6b3bd6e1fb73450ff93aa98a451be21509610d6c69e4bf3f34084f59e3c7", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3f2f6b3bd6e1fb73450ff93aa98a451be21509610d6c69e4bf3f34084f59e3c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-windows/Dockerfile"}, "region": {"startLine": 52}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128695, "scanner": "repobility-docker", "fingerprint": "76930e4db5dcc3510b7014a317bd3e9338951307b7d9775001db417630d0bf4f", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|76930e4db5dcc3510b7014a317bd3e9338951307b7d9775001db417630d0bf4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 106}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 128694, "scanner": "repobility-docker", "fingerprint": "b9218c4f69e4bb727fe48e6ebad446a8410e775f2e2f906110d2f7b1b432127b", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b9218c4f69e4bb727fe48e6ebad446a8410e775f2e2f906110d2f7b1b432127b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 98}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 128693, "scanner": "repobility-docker", "fingerprint": "49377eb58bd0045907ea4e46b5018445e73975bae0f1e808d237d07ad938c9ad", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|49377eb58bd0045907ea4e46b5018445e73975bae0f1e808d237d07ad938c9ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 82}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128692, "scanner": "repobility-docker", "fingerprint": "9ad0f3e547083804694f544df8ec41a613cb8304707f0f89bcf447a74ea992ca", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9ad0f3e547083804694f544df8ec41a613cb8304707f0f89bcf447a74ea992ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128691, "scanner": "repobility-docker", "fingerprint": "325686e3854b55e2c8a4890b9f3859d92d038a23d6a4216b5ad6ddab3dcf87ad", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|325686e3854b55e2c8a4890b9f3859d92d038a23d6a4216b5ad6ddab3dcf87ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128690, "scanner": "repobility-docker", "fingerprint": "8be60c79413a0a7699ae9ddb4a1b71201fb9e0e2ba99100dc41fbae25a299a82", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8be60c79413a0a7699ae9ddb4a1b71201fb9e0e2ba99100dc41fbae25a299a82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 128689, "scanner": "repobility-docker", "fingerprint": "19ab5985a96371763a8431a05f5f6046cdcadb18fdfb175647fbfee6afc40f83", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|19ab5985a96371763a8431a05f5f6046cdcadb18fdfb175647fbfee6afc40f83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128686, "scanner": "repobility-docker", "fingerprint": "0376789fc50b221178bc41400a98c189817fee9a528d4157e050bc725ddf22ba", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0376789fc50b221178bc41400a98c189817fee9a528d4157e050bc725ddf22ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci/Dockerfile"}, "region": {"startLine": 49}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 128685, "scanner": "repobility-docker", "fingerprint": "efa267056753f288dbc5cc33bd18a1c3527ee34354528fb08466033452736d81", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|efa267056753f288dbc5cc33bd18a1c3527ee34354528fb08466033452736d81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 128684, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c285ffb7115732a158b1cd507b2be3571547c84e453673983b914a3fccc74466", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bolt/lib/Rewrite/BuildIDRewriter.cpp", "duplicate_line": 28, "correlation_key": "fp|c285ffb7115732a158b1cd507b2be3571547c84e453673983b914a3fccc74466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bolt/lib/Rewrite/GNUPropertyRewriter.cpp"}, "region": {"startLine": 19}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, for=4, if=1, nested_bonus=4, ternary=1."}, "properties": {"repobilityId": 128678, "scanner": "repobility-threat-engine", "fingerprint": "3913e4804972154a69825d4eae59e783dd6694e7b899cf076b07733a49b3fbed", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 11 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 1, "for": 4, "else": 1, "ternary": 1, "nested_bonus": 4}, "complexity": 11, "correlation_key": "fp|3913e4804972154a69825d4eae59e783dd6694e7b899cf076b07733a49b3fbed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_upload.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=1, else=1, for=3, if=4, nested_bonus=5."}, "properties": {"repobilityId": 128677, "scanner": "repobility-threat-engine", "fingerprint": "87ba05113e316b5f5f305e14cd18a165b5b550b6766f8723f151de464e31d26d", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 4, "for": 3, "elif": 1, "else": 1, "nested_bonus": 5}, "complexity": 14, "correlation_key": "fp|87ba05113e316b5f5f305e14cd18a165b5b550b6766f8723f151de464e31d26d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_explain.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 128680, "scanner": "repobility-threat-engine", "fingerprint": "7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 4, "for": 3, "elif": 1, "else": 1, "nested_bonus": 5}, "aggregated": true, "complexity": 14, "correlation_key": "fp|7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "aggregated_count": 6}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 128676, "scanner": "repobility-threat-engine", "fingerprint": "6a2e8252b2a7fb6af3beea3073f6d024fadad76bed3c339ed6b55839c156d98c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a2e8252b2a7fb6af3beea3073f6d024fadad76bed3c339ed6b55839c156d98c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_upload.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 128675, "scanner": "repobility-threat-engine", "fingerprint": "717a936484b272a27af8c91f19c3840b4e1457f6e56d573049dd604ea9f5b6d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|717a936484b272a27af8c91f19c3840b4e1457f6e56d573049dd604ea9f5b6d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_explain.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 128674, "scanner": "repobility-threat-engine", "fingerprint": "748d3e00e3e6390952ec1764ae0788a68f49a866318f1750ea4bea4dab582bca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|748d3e00e3e6390952ec1764ae0788a68f49a866318f1750ea4bea4dab582bca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_upload.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 128673, "scanner": "repobility-threat-engine", "fingerprint": "a493a22e5eec6f32da6594ce7a3b611c75f5b2ce34ffce05b352acec38c93bb1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a493a22e5eec6f32da6594ce7a3b611c75f5b2ce34ffce05b352acec38c93bb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_explain.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC078", "level": "none", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 128672, "scanner": "repobility-threat-engine", "fingerprint": "c156f97031bf9d331d58397e097a2fdcc7ecacef2ecb5bac99269b59721657b5", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'timeout\\s*=' detected on same line", "evidence": {"match": "requests.post(", "reason": "Safe pattern 'timeout\\s*=' detected on same line", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|c156f97031bf9d331d58397e097a2fdcc7ecacef2ecb5bac99269b59721657b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_upload.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ci-container-build-tools (no tag)` not pinned by digest: `FROM ci-container-build-tools (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128747, "scanner": "repobility-supply-chain", "fingerprint": "bcd045d5d867759ba23931912232dc45a0f5cebb2d8488ac5fe35175b6499cc5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bcd045d5d867759ba23931912232dc45a0f5cebb2d8488ac5fe35175b6499cc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ci-container-build-tools (no tag)` not pinned by digest: `FROM ci-container-build-tools (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128746, "scanner": "repobility-supply-chain", "fingerprint": "cd8b19ea8fb2f553a03d35dce3809aedeb28d048a73f704134cce79883537f77", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd8b19ea8fb2f553a03d35dce3809aedeb28d048a73f704134cce79883537f77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-tooling/Dockerfile"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.io/library/ubuntu:24.04` not pinned by digest: `FROM docker.io/library/ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128745, "scanner": "repobility-supply-chain", "fingerprint": "4625fc4fdcf56cbc97fa452ac36b3d195fd5a8abfd747e2d99857882aa4abcda", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4625fc4fdcf56cbc97fa452ac36b3d195fd5a8abfd747e2d99857882aa4abcda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/libc/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED119", "level": "error", "message": {"text": "[MINED119] Dockerfile `ADD https://aka.ms/vs/17/release/vs_buildtools.exe`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If the host or DNS is compromised between layers \u2014 or if the URL serves a different file later \u2014 malicious content gets baked into the image."}, "properties": {"repobilityId": 128744, "scanner": "repobility-supply-chain", "fingerprint": "42dcd9b1e596fb26ba52caf48bdfea370e8187b73bb5743de4d2d1ea98c07673", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-add-remote-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829", "CWE-494"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42dcd9b1e596fb26ba52caf48bdfea370e8187b73bb5743de4d2d1ea98c07673"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-windows/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2022` not pinned by digest: `FROM mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2022` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128743, "scanner": "repobility-supply-chain", "fingerprint": "aec16c0f1efd85387182287f7d42310635d7c50a8eb5a66f5400e131374fc88b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aec16c0f1efd85387182287f7d42310635d7c50a8eb5a66f5400e131374fc88b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci-windows/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `docker.io/library/ubuntu:24.04` not pinned by digest: `FROM docker.io/library/ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 128742, "scanner": "repobility-supply-chain", "fingerprint": "8f8c840facb89a3290ef534e1296f5e5fe83827e6dd8f58af2e03667587399c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f8c840facb89a3290ef534e1296f5e5fe83827e6dd8f58af2e03667587399c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/containers/github-action-ci/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/llvm/ci-ubuntu-24.04:latest` unpinned: `container/services image: ghcr.io/llvm/ci-ubuntu-24.04:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 128741, "scanner": "repobility-supply-chain", "fingerprint": "e1e6349573cf16d8a0a94ee1521d52d074a1803bc6d4cd4bd5590fb143e550dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1e6349573cf16d8a0a94ee1521d52d074a1803bc6d4cd4bd5590fb143e550dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mlir-spirv-tests.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/llvm/ci-ubuntu-24.04-format` unpinned: `container/services image: ghcr.io/llvm/ci-ubuntu-24.04-format` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 128738, "scanner": "repobility-supply-chain", "fingerprint": "10cc8c51c09ecd646e12164e5efa079de078d7842b72b660b43069bd915b73de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10cc8c51c09ecd646e12164e5efa079de078d7842b72b660b43069bd915b73de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-code-format.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_bad_response_code: Test function `test_bad_response_code` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 128727, "scanner": "repobility-ast-engine", "fingerprint": "8f5c7ae806ac787b67e814c8de7acc2d298e180e0028957c49daaa18d6771c2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8f5c7ae806ac787b67e814c8de7acc2d298e180e0028957c49daaa18d6771c2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/metrics/metrics_test.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_report_dont_list_failures_link_to_log` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128725, "scanner": "repobility-ast-engine", "fingerprint": "fc902bff319edf9fd3c26fde4ef10dd63d48061f33b34f45d5579967af99aed8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fc902bff319edf9fd3c26fde4ef10dd63d48061f33b34f45d5579967af99aed8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 699}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_report_dont_list_failures` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128724, "scanner": "repobility-ast-engine", "fingerprint": "73aa87640747ecee2cd146fbe7b4eee888e668ca3a5e1933f06f12b0f6bbb2cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|73aa87640747ecee2cd146fbe7b4eee888e668ca3a5e1933f06f12b0f6bbb2cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 661}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_report_multiple_files_multiple_testsuites` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128723, "scanner": "repobility-ast-engine", "fingerprint": "28ed7fdbc600ee35a99bb72e47eca3080f18a7d63a0b973428e5de3aef0bfb5b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|28ed7fdbc600ee35a99bb72e47eca3080f18a7d63a0b973428e5de3aef0bfb5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 619}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_report_single_file_multiple_testsuites` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128722, "scanner": "repobility-ast-engine", "fingerprint": "9118825b194c8cbebcc04cddb6421b5ed38e3ee7c94281557a72006d9db926f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9118825b194c8cbebcc04cddb6421b5ed38e3ee7c94281557a72006d9db926f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 585}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_report_single_file_single_testsuite` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128721, "scanner": "repobility-ast-engine", "fingerprint": "1f28c9b34101aa709e66c7d2872d6158a3033f34d1ac867619063cd981d6c686", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1f28c9b34101aa709e66c7d2872d6158a3033f34d1ac867619063cd981d6c686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 490}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_no_failures_multiple_build_failed_ninja_log` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128720, "scanner": "repobility-ast-engine", "fingerprint": "99c011fa2830eca919e60c03e22a6f6d5a1502255010dcc21e93947477036c8f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|99c011fa2830eca919e60c03e22a6f6d5a1502255010dcc21e93947477036c8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 426}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_no_failures_build_failed_ninja_log` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128719, "scanner": "repobility-ast-engine", "fingerprint": "ae280da6248376ce978449785be6f23c9f370813dcc1852fbd06de261158fa72", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae280da6248376ce978449785be6f23c9f370813dcc1852fbd06de261158fa72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 370}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_no_failures_build_failed` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128718, "scanner": "repobility-ast-engine", "fingerprint": "e7f590049760355932fd468c9288b586e9fb8e1e534f355ef1a29e9f04e46115", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e7f590049760355932fd468c9288b586e9fb8e1e534f355ef1a29e9f04e46115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_no_failures` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128717, "scanner": "repobility-ast-engine", "fingerprint": "3eaf78ce834e432e4d1b8d8ad5a7afbc58380be69effa2caa74ad532f08fa5dc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3eaf78ce834e432e4d1b8d8ad5a7afbc58380be69effa2caa74ad532f08fa5dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_no_tests_in_testsuite` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128716, "scanner": "repobility-ast-engine", "fingerprint": "347f658dcb54373ec1a4527411b8ca648ca55dccd7d5466a43b842c06eee652e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|347f658dcb54373ec1a4527411b8ca648ca55dccd7d5466a43b842c06eee652e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 266}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_title_only_failure_ninja_log` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128715, "scanner": "repobility-ast-engine", "fingerprint": "1ab3ab88e7152e53d8590be97b6786271956908e5d24803ebde4fb49ebb02512", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ab3ab88e7152e53d8590be97b6786271956908e5d24803ebde4fb49ebb02512"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 224}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_title_only_failure` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128714, "scanner": "repobility-ast-engine", "fingerprint": "847d7f1cbb37f723f3096b94b1f23b424c9e35a3f4575ccb2550309c7a04a9a7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|847d7f1cbb37f723f3096b94b1f23b424c9e35a3f4575ccb2550309c7a04a9a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_title_only` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128713, "scanner": "repobility-ast-engine", "fingerprint": "44786cfabe2e56e45e823ffc2ec5b029c339ea2aa1b1512a681528678b90f787", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|44786cfabe2e56e45e823ffc2ec5b029c339ea2aa1b1512a681528678b90f787"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_ninja_log_mismatched_failed` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128712, "scanner": "repobility-ast-engine", "fingerprint": "457e88c43cb9051195577b8ba0af52e57a99459bf00c56439db0aa605792bd2a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|457e88c43cb9051195577b8ba0af52e57a99459bf00c56439db0aa605792bd2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_ninja_log_mismatched_failed` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128711, "scanner": "repobility-ast-engine", "fingerprint": "90cdc5486b3aca34a1bded671e087ff2bb430aafe2f7bcbf4f4eba60c2551bc0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|90cdc5486b3aca34a1bded671e087ff2bb430aafe2f7bcbf4f4eba60c2551bc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_ninja_log_runtimes_failure` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128710, "scanner": "repobility-ast-engine", "fingerprint": "b116899a1cd2f06b0564836b56db7e4afcae4f3cf8dbd20d099c411c3a328eb0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b116899a1cd2f06b0564836b56db7e4afcae4f3cf8dbd20d099c411c3a328eb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_ninja_log_runtimes_failure` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128709, "scanner": "repobility-ast-engine", "fingerprint": "1ca199ce283bdf632b638aa65bcbf7f3551d63be027e960750101542dd868c7a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ca199ce283bdf632b638aa65bcbf7f3551d63be027e960750101542dd868c7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_ninja_log_multiple_failures` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128708, "scanner": "repobility-ast-engine", "fingerprint": "07756cf86f75a8c797f2a4117bccfc079f51dbfd638741de40215b0384a2ac17", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|07756cf86f75a8c797f2a4117bccfc079f51dbfd638741de40215b0384a2ac17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_ninja_log_multiple_failures` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128707, "scanner": "repobility-ast-engine", "fingerprint": "920e2bc95c9d134f0808a030d16f900d8d153660dcb007ff74425a7412a31b5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|920e2bc95c9d134f0808a030d16f900d8d153660dcb007ff74425a7412a31b5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_ninja_log_multiple_failures` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128706, "scanner": "repobility-ast-engine", "fingerprint": "601aa3e4cd1a0cc58d8fd4c7676697a007cf1bb89bc525b0a706ef5c659108ed", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|601aa3e4cd1a0cc58d8fd4c7676697a007cf1bb89bc525b0a706ef5c659108ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_ninja_log_end` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128705, "scanner": "repobility-ast-engine", "fingerprint": "7cb586210cda07bfdf0adaadc315f4cdd16e2d12df56d771467cb71898a1cb0e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7cb586210cda07bfdf0adaadc315f4cdd16e2d12df56d771467cb71898a1cb0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_ninja_log_end` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128704, "scanner": "repobility-ast-engine", "fingerprint": "6fa1ba9133b05aa44756ee973cb525ae0aff67ea72131f8192c2346495370d0d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fa1ba9133b05aa44756ee973cb525ae0aff67ea72131f8192c2346495370d0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_no_failure_ninja_log` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128703, "scanner": "repobility-ast-engine", "fingerprint": "6e48d35f66896ea240acf33eb5472ead5f3a0e506aaf6b91cca56cc01cded045", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6e48d35f66896ea240acf33eb5472ead5f3a0e506aaf6b91cca56cc01cded045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_find_failure_ninja_logs` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128702, "scanner": "repobility-ast-engine", "fingerprint": "b7cbf4cb698e47befe12e5628f94c63eb16ec52e731cf75046def8400bfab685", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b7cbf4cb698e47befe12e5628f94c63eb16ec52e731cf75046def8400bfab685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_find_failure_ninja_logs` of class `TestReports` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 128701, "scanner": "repobility-ast-engine", "fingerprint": "904a84801425af13aff8537f1a2c3aa19a9172b4b67e228d78afb228d745be67", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|904a84801425af13aff8537f1a2c3aa19a9172b4b67e228d78afb228d745be67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/generate_test_report_lib_test.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 128682, "scanner": "repobility-threat-engine", "fingerprint": "9915a837a123371ec0a27a71d141df663464f98354e736ab7d670a7d032a206a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9915a837a123371ec0a27a71d141df663464f98354e736ab7d670a7d032a206a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-post-commit-analyzer-run.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `count_prs` has cognitive complexity 33 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=4, for=1, if=6, nested_bonus=20, while=2."}, "properties": {"repobilityId": 128679, "scanner": "repobility-threat-engine", "fingerprint": "06d4ef5ef00c6654cd62d7368ffd374375638f8ce82ef5201839d34f8a460790", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 33 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "count_prs", "breakdown": {"if": 6, "for": 1, "while": 2, "continue": 4, "nested_bonus": 20}, "complexity": 33, "correlation_key": "fp|06d4ef5ef00c6654cd62d7368ffd374375638f8ce82ef5201839d34f8a460790"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/commit-access-review.py"}, "region": {"startLine": 202}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 128671, "scanner": "repobility-threat-engine", "fingerprint": "704aeeac0de95f96952ab1d0dc69b48a42e3a72b64ed34a4eae801f47eba98c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|704aeeac0de95f96952ab1d0dc69b48a42e3a72b64ed34a4eae801f47eba98c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_explain.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128670, "scanner": "repobility-threat-engine", "fingerprint": "7e1263b6e58fb9e0562bd672dc966854d33597fa4167c640bb85f55253635642", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e1263b6e58fb9e0562bd672dc966854d33597fa4167c640bb85f55253635642"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prune-unused-branches.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128669, "scanner": "repobility-threat-engine", "fingerprint": "c0f18f261eda982966a59d009211c58e8e04bb48bbda081d2f1c4542e4fdf65d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.post(premerge_advisor_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c0f18f261eda982966a59d009211c58e8e04bb48bbda081d2f1c4542e4fdf65d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_upload.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 128668, "scanner": "repobility-threat-engine", "fingerprint": "d977cd7ac11aab1428f6897fa6121a36ed89c2cb4846dcce778e158157755a68", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(\n            PREMERGE_ADVISOR_URL", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d977cd7ac11aab1428f6897fa6121a36ed89c2cb4846dcce778e158157755a68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".ci/premerge_advisor_explain.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128740, "scanner": "repobility-supply-chain", "fingerprint": "e1c8f3d509fedde5cc9af113d78764e71254cf3f41e8a0010afc8abde3fd67e8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1c8f3d509fedde5cc9af113d78764e71254cf3f41e8a0010afc8abde3fd67e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-binaries-all.yml"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128739, "scanner": "repobility-supply-chain", "fingerprint": "07ae46b11516ea36bbe17db172b0584ca23ef99b4b2591e3ae79548a12435d53", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07ae46b11516ea36bbe17db172b0584ca23ef99b4b2591e3ae79548a12435d53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-binaries-all.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.LLVM_TOKEN_GENERATOR_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128737, "scanner": "repobility-supply-chain", "fingerprint": "ad89371b7b1d774d08b3d06fd1b5478b13c668eaa07a21f6ee1f3c81a175976e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad89371b7b1d774d08b3d06fd1b5478b13c668eaa07a21f6ee1f3c81a175976e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-asset-audit.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.LLVM_TOKEN_GENERATOR_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 128736, "scanner": "repobility-supply-chain", "fingerprint": "9a1feffb99b9d05c640ba13fda2bceca1825063ce0a915494692555ccacda6a9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a1feffb99b9d05c640ba13fda2bceca1825063ce0a915494692555ccacda6a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-asset-audit.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `sys` used but not imported: The file uses `sys.something(...)` but never imports `sys`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 128735, "scanner": "repobility-ast-engine", "fingerprint": "5e517b116afebcf6f30dc23e45332765f708128bd8cb4d690c74b482b6bb1596", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5e517b116afebcf6f30dc23e45332765f708128bd8cb4d690c74b482b6bb1596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bolt/test/lit.cfg.py"}, "region": {"startLine": 137}}}]}]}]}