{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AIC006", "name": "Archive or legacy directory is mixed into the active repository root", "shortDescription": {"text": "Archive or legacy directory is mixed into the active repository root"}, "fullDescription": {"text": "Archive, old, backup, or legacy directories at the root often hide obsolete implementations that AI agents can copy from or accidentally rewire."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `ScoopInstaller/GithubActions` pinned to mutable ref `@main`", "shortDescription": {"text": "Action `ScoopInstaller/GithubActions` pinned to mutable ref `@main`"}, "fullDescription": {"text": "`uses: ScoopInstaller/GithubActions@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1146"}, "properties": {"repository": "ScoopInstaller/Main", "repoUrl": "https://github.com/ScoopInstaller/Main", "branch": "master"}, "results": [{"ruleId": "AIC006", "level": "note", "message": {"text": "Archive or legacy directory is mixed into the active repository root"}, "properties": {"repobilityId": 114412, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30f3c142d0d98597a970ae84974043e11b8557dbe8588c457ade7bb408f693a0", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains an archive/legacy directory name.", "evidence": {"rule_id": "AIC006", "scanner": "repobility-ai-code-hygiene", "directory": "deprecated", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|30f3c142d0d98597a970ae84974043e11b8557dbe8588c457ade7bb408f693a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deprecated"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 114411, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ScoopInstaller/GithubActions` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 114416, "scanner": "repobility-supply-chain", "fingerprint": "d557cbd7e4113be830fa57d8b371384716e515ec3462d28c55622bf2b854ec2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d557cbd7e4113be830fa57d8b371384716e515ec3462d28c55622bf2b854ec2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issues.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ScoopInstaller/GithubActions` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 114415, "scanner": "repobility-supply-chain", "fingerprint": "f582cac58357adf70998904057490f3bb1f3ceb9b2b0c9205d3a343417e9564c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f582cac58357adf70998904057490f3bb1f3ceb9b2b0c9205d3a343417e9564c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/issue_comment.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ScoopInstaller/GithubActions` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 114414, "scanner": "repobility-supply-chain", "fingerprint": "3a906ef0a0c2a9d24c7cb42dfe83fcd10596c2457b5cfb8cf5f57dff57adba52", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a906ef0a0c2a9d24c7cb42dfe83fcd10596c2457b5cfb8cf5f57dff57adba52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pull_request.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ScoopInstaller/GithubActions` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 114413, "scanner": "repobility-supply-chain", "fingerprint": "1e27edeb37daa1271a86db2505e2d05e7087743ad2cedbb9993b412cc5731a1f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e27edeb37daa1271a86db2505e2d05e7087743ad2cedbb9993b412cc5731a1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/excavator.yml"}, "region": {"startLine": 20}}}]}]}]}