{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-58qx-3vcg-4xpx", "name": "ws: GHSA-58qx-3vcg-4xpx", "shortDescription": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "fullDescription": {"text": "ws: Uninitialized memory disclosure"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3v7f-55p6-f55p", "name": "picomatch: GHSA-3v7f-55p6-f55p", "shortDescription": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "fullDescription": {"text": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-v2v4-37r5-5v8g", "name": "ip-address: GHSA-v2v4-37r5-5v8g", "shortDescription": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "fullDescription": {"text": "ip-address has XSS in Address6 HTML-emitting methods"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xrhx-7g5j-rcj5", "name": "hono: GHSA-xrhx-7g5j-rcj5", "shortDescription": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "fullDescription": {"text": "Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 "}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xpcf-pg52-r92g", "name": "hono: GHSA-xpcf-pg52-r92g", "shortDescription": {"text": "hono: GHSA-xpcf-pg52-r92g"}, "fullDescription": {"text": "Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xf4j-xp2r-rqqx", "name": "hono: GHSA-xf4j-xp2r-rqqx", "shortDescription": {"text": "hono: GHSA-xf4j-xp2r-rqqx"}, "fullDescription": {"text": "Hono: Path traversal in toSSG() allows writing files outside the output directory"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-wmmm-f939-6g9c", "name": "hono: GHSA-wmmm-f939-6g9c", "shortDescription": {"text": "hono: GHSA-wmmm-f939-6g9c"}, "fullDescription": {"text": "Hono: Middleware bypass via repeated slashes in serveStatic"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-r5rp-j6wh-rvv4", "name": "hono: GHSA-r5rp-j6wh-rvv4", "shortDescription": {"text": "hono: GHSA-r5rp-j6wh-rvv4"}, "fullDescription": {"text": "Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-qp7p-654g-cw7p", "name": "hono: GHSA-qp7p-654g-cw7p", "shortDescription": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "fullDescription": {"text": "Hono has CSS Declaration Injection via Style Object Values in JSX SSR"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-p77w-8qqv-26rm", "name": "hono: GHSA-p77w-8qqv-26rm", "shortDescription": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "fullDescription": {"text": "Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f577-qrjj-4474", "name": "hono: GHSA-f577-qrjj-4474", "shortDescription": {"text": "hono: GHSA-f577-qrjj-4474"}, "fullDescription": {"text": "Hono: JWT middleware accepts any Authorization scheme, not only Bearer"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9vqf-7f2p-gf9v", "name": "hono: GHSA-9vqf-7f2p-gf9v", "shortDescription": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "fullDescription": {"text": "Hono: bodyLimit() can be bypassed for chunked / unknown-length requests"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-69xw-7hcm-h432", "name": "hono: GHSA-69xw-7hcm-h432", "shortDescription": {"text": "hono: GHSA-69xw-7hcm-h432"}, "fullDescription": {"text": "hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-458j-xx4x-4375", "name": "hono: GHSA-458j-xx4x-4375", "shortDescription": {"text": "hono: GHSA-458j-xx4x-4375"}, "fullDescription": {"text": "hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3hrh-pfw6-9m5x", "name": "hono: GHSA-3hrh-pfw6-9m5x", "shortDescription": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "fullDescription": {"text": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-2gcr-mfcq-wcc3", "name": "hono: GHSA-2gcr-mfcq-wcc3", "shortDescription": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "fullDescription": {"text": "Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-26pp-8wgv-hjvm", "name": "hono: GHSA-26pp-8wgv-hjvm", "shortDescription": {"text": "hono: GHSA-26pp-8wgv-hjvm"}, "fullDescription": {"text": "Hono missing validation of cookie name on write path in setCookie()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-jxxr-4gwj-5jf2", "name": "brace-expansion: GHSA-jxxr-4gwj-5jf2", "shortDescription": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "fullDescription": {"text": "brace-expansion: Large numeric range defeats documented `max` DoS protection"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-f886-m6hf-6m8v", "name": "brace-expansion: GHSA-f886-m6hf-6m8v", "shortDescription": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "fullDescription": {"text": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)", "shortDescription": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "fullDescription": {"text": "`@google/genai` is pinned/resolved at >=1.33.0 but the latest stable release on the npm registry is 2.8.0 (1 major version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 663 lines (recommend <300)", "shortDescription": {"text": "Average file size is 663 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_README", "name": "No README file found", "shortDescription": {"text": "No README file found"}, "fullDescription": {"text": "Create a README.md with: project name and description, installation instructions, usage examples, configuration options, and contribution guidelines."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "GHSA-hm8q-7f3q-5f36", "name": "hono: GHSA-hm8q-7f3q-5f36", "shortDescription": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "fullDescription": {"text": "Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `package_skill` has cognitive complexity 14 (SonarSource scale). Cognitive", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `package_skill` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 14."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 27 more): Same pattern found in 27 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "GHSA-c2c7-rcm5-vvqj", "name": "picomatch: GHSA-c2c7-rcm5-vvqj", "shortDescription": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "fullDescription": {"text": "Picomatch has a ReDoS vulnerability via extglob quantifiers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI bu"}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `duotify/GitHubClawToolkit/actions/update-comment-action` pinned to mutable ref `@v1`", "shortDescription": {"text": "Action `duotify/GitHubClawToolkit/actions/update-comment-action` pinned to mutable ref `@v1`"}, "fullDescription": {"text": "`uses: duotify/GitHubClawToolkit/actions/update-comment-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express POST /line/webhook has no auth", "shortDescription": {"text": "Express POST /line/webhook has no auth"}, "fullDescription": {"text": "Express route POST /line/webhook declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "`self.send_response` used but never assigned in __init__", "shortDescription": {"text": "`self.send_response` used but never assigned in __init__"}, "fullDescription": {"text": "Method `do_GET` of class `ReviewHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "Missing import: `html` used but not imported", "shortDescription": {"text": "Missing import: `html` used but not imported"}, "fullDescription": {"text": "The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1208"}, "properties": {"repository": "duotify/GitHubClawToolkit", "repoUrl": "https://github.com/duotify/GitHubClawToolkit", "branch": "main"}, "results": [{"ruleId": "GHSA-58qx-3vcg-4xpx", "level": "warning", "message": {"text": "ws: GHSA-58qx-3vcg-4xpx"}, "properties": {"repobilityId": 121921, "scanner": "osv-scanner", "fingerprint": "091ac0339b380330938d9c5d8493c8871114cade212581807025cf1b269dca07", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45736"], "package": "ws", "rule_id": "GHSA-58qx-3vcg-4xpx", "scanner": "osv-scanner", "correlation_key": "vuln|ws|CVE-2026-45736|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3v7f-55p6-f55p", "level": "warning", "message": {"text": "picomatch: GHSA-3v7f-55p6-f55p"}, "properties": {"repobilityId": 121919, "scanner": "osv-scanner", "fingerprint": "13cd23f7d4133cbb84988180df9d4a214b0a3e9f77bff21dd270ffff813159f2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33672"], "package": "picomatch", "rule_id": "GHSA-3v7f-55p6-f55p", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33672|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-v2v4-37r5-5v8g", "level": "warning", "message": {"text": "ip-address: GHSA-v2v4-37r5-5v8g"}, "properties": {"repobilityId": 121918, "scanner": "osv-scanner", "fingerprint": "bdafbd0d58c4cea3bd4cd2cfbdcc87279c53dd75cfee060ad21b5b26cebce64d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42338"], "package": "ip-address", "rule_id": "GHSA-v2v4-37r5-5v8g", "scanner": "osv-scanner", "correlation_key": "vuln|ip-address|CVE-2026-42338|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xrhx-7g5j-rcj5", "level": "warning", "message": {"text": "hono: GHSA-xrhx-7g5j-rcj5"}, "properties": {"repobilityId": 121917, "scanner": "osv-scanner", "fingerprint": "8096ac09641cd2a096e675f3d0fdd01d4f22307c5c8ef33ea8edc4c0c6536224", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47674"], "package": "hono", "rule_id": "GHSA-xrhx-7g5j-rcj5", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47674|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xpcf-pg52-r92g", "level": "warning", "message": {"text": "hono: GHSA-xpcf-pg52-r92g"}, "properties": {"repobilityId": 121916, "scanner": "osv-scanner", "fingerprint": "020add554a6a4b4c59a5c49a2c0f93384205687a8af8456bce63dc5443f077cd", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39409"], "package": "hono", "rule_id": "GHSA-xpcf-pg52-r92g", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39409|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xf4j-xp2r-rqqx", "level": "warning", "message": {"text": "hono: GHSA-xf4j-xp2r-rqqx"}, "properties": {"repobilityId": 121915, "scanner": "osv-scanner", "fingerprint": "5c7094fe9363a763fd0148fb1bc22c920908e3b691d6048563afa631be316748", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39408"], "package": "hono", "rule_id": "GHSA-xf4j-xp2r-rqqx", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39408|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-wmmm-f939-6g9c", "level": "warning", "message": {"text": "hono: GHSA-wmmm-f939-6g9c"}, "properties": {"repobilityId": 121914, "scanner": "osv-scanner", "fingerprint": "e01d6ff3a2822832b899e6a6d3b12212a65ed4bedc08805e8dd27a3e8d545bed", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39407"], "package": "hono", "rule_id": "GHSA-wmmm-f939-6g9c", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39407|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-r5rp-j6wh-rvv4", "level": "warning", "message": {"text": "hono: GHSA-r5rp-j6wh-rvv4"}, "properties": {"repobilityId": 121913, "scanner": "osv-scanner", "fingerprint": "628aa1bed909f073eef7603b5674ac4d7bafc1c7a2fa7d564cafdc0c0392e1b2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39410"], "package": "hono", "rule_id": "GHSA-r5rp-j6wh-rvv4", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-39410|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-qp7p-654g-cw7p", "level": "warning", "message": {"text": "hono: GHSA-qp7p-654g-cw7p"}, "properties": {"repobilityId": 121912, "scanner": "osv-scanner", "fingerprint": "a0fe2e125ba284fbc145f50a5f7715cfc84af125df5f0ae89d9515bc722e0c82", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44458"], "package": "hono", "rule_id": "GHSA-qp7p-654g-cw7p", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44458|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-p77w-8qqv-26rm", "level": "warning", "message": {"text": "hono: GHSA-p77w-8qqv-26rm"}, "properties": {"repobilityId": 121911, "scanner": "osv-scanner", "fingerprint": "72a99ed412e7679388905948b8a757781e3c2d2c51ddfae5d70a76310ae73379", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44457"], "package": "hono", "rule_id": "GHSA-p77w-8qqv-26rm", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44457|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f577-qrjj-4474", "level": "warning", "message": {"text": "hono: GHSA-f577-qrjj-4474"}, "properties": {"repobilityId": 121909, "scanner": "osv-scanner", "fingerprint": "75c70db36e8c6af8ea3f54685652ed6d78b6d8be47a0e22b8f8f41575d70cbc4", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47673"], "package": "hono", "rule_id": "GHSA-f577-qrjj-4474", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47673|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9vqf-7f2p-gf9v", "level": "warning", "message": {"text": "hono: GHSA-9vqf-7f2p-gf9v"}, "properties": {"repobilityId": 121908, "scanner": "osv-scanner", "fingerprint": "76f701b0eb82a7bc39129aaf2d5fd865015eb3ca2c2f6d6fc2663c1fa707e886", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44456"], "package": "hono", "rule_id": "GHSA-9vqf-7f2p-gf9v", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44456|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-69xw-7hcm-h432", "level": "warning", "message": {"text": "hono: GHSA-69xw-7hcm-h432"}, "properties": {"repobilityId": 121907, "scanner": "osv-scanner", "fingerprint": "354279f82e562e0bfcac72a03524ea2d34f3b465097baa8a7f9c5c4c5a3546ee", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44455"], "package": "hono", "rule_id": "GHSA-69xw-7hcm-h432", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44455|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-458j-xx4x-4375", "level": "warning", "message": {"text": "hono: GHSA-458j-xx4x-4375"}, "properties": {"repobilityId": 121906, "scanner": "osv-scanner", "fingerprint": "807b50854bd418369fa032e53c131bb6e9a43fdbff9ec8747c8555cc1485b346", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "hono", "rule_id": "GHSA-458j-xx4x-4375", "scanner": "osv-scanner", "correlation_key": "vuln|hono|GHSA-458J-XX4X-4375|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3hrh-pfw6-9m5x", "level": "warning", "message": {"text": "hono: GHSA-3hrh-pfw6-9m5x"}, "properties": {"repobilityId": 121905, "scanner": "osv-scanner", "fingerprint": "0da9e0068a068df81970767f1ed1a16bf15ea25638557379ebe008767eaff3dc", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47675"], "package": "hono", "rule_id": "GHSA-3hrh-pfw6-9m5x", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47675|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-2gcr-mfcq-wcc3", "level": "warning", "message": {"text": "hono: GHSA-2gcr-mfcq-wcc3"}, "properties": {"repobilityId": 121904, "scanner": "osv-scanner", "fingerprint": "21d2f92695b2731fb00e6008fcc21fcb9cc38f964451e16b77d8a0f1a3df64f2", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-47676"], "package": "hono", "rule_id": "GHSA-2gcr-mfcq-wcc3", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-47676|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-26pp-8wgv-hjvm", "level": "warning", "message": {"text": "hono: GHSA-26pp-8wgv-hjvm"}, "properties": {"repobilityId": 121903, "scanner": "osv-scanner", "fingerprint": "674ac3cf832208a19d458b7733f77037ba5c4b27a104726507e901f6ab73f787", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "hono", "rule_id": "GHSA-26pp-8wgv-hjvm", "scanner": "osv-scanner", "correlation_key": "vuln|hono|GHSA-26PP-8WGV-HJVM|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-jxxr-4gwj-5jf2", "level": "warning", "message": {"text": "brace-expansion: GHSA-jxxr-4gwj-5jf2"}, "properties": {"repobilityId": 121902, "scanner": "osv-scanner", "fingerprint": "38d8b1d4f74b65f37e8777d2e5773d44669e85d68089eda7313be9112132046c", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45149"], "package": "brace-expansion", "rule_id": "GHSA-jxxr-4gwj-5jf2", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-45149|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-f886-m6hf-6m8v", "level": "warning", "message": {"text": "brace-expansion: GHSA-f886-m6hf-6m8v"}, "properties": {"repobilityId": 121901, "scanner": "osv-scanner", "fingerprint": "fa736186148803b27b6388edd3b99325aef9e17c612353139255d5597d2af82d", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33750"], "package": "brace-expansion", "rule_id": "GHSA-f886-m6hf-6m8v", "scanner": "osv-scanner", "correlation_key": "vuln|brace-expansion|CVE-2026-33750|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 121892, "scanner": "repobility-threat-engine", "fingerprint": "4dfd9c7b28c6486ccfbe41cbbae4eafec7c161090402fcc626949b9784bc2bf7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "API_KEY=\"<redacted>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4dfd9c7b28c6486ccfbe41cbbae4eafec7c161090402fcc626949b9784bc2bf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/felo-superAgent/scripts/run_style_library.mjs"}, "region": {"startLine": 146}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 121876, "scanner": "repobility-agent-runtime", "fingerprint": "9b080e78b4ff99daf1bda96aed4cc5b0467eed960a74b4a221cb254d2bc59739", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9b080e78b4ff99daf1bda96aed4cc5b0467eed960a74b4a221cb254d2bc59739"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.github/workflows/issue-N.yml"}, "region": {"startLine": 162}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 121875, "scanner": "repobility-agent-runtime", "fingerprint": "fb5798a7950b7bb3ca0a53fab93e3c0f3277f313733884ef292a89f416ae41e9", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|fb5798a7950b7bb3ca0a53fab93e3c0f3277f313733884ef292a89f416ae41e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-felo/.github/workflows/issue-N.yml"}, "region": {"startLine": 162}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 121874, "scanner": "repobility-agent-runtime", "fingerprint": "b489d24df1abe6ee0e87481782203f8e22c42a5d5bf57b117c60932302f7d7b5", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b489d24df1abe6ee0e87481782203f8e22c42a5d5bf57b117c60932302f7d7b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-gemini-api/.github/workflows/issue-N.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 121873, "scanner": "repobility-agent-runtime", "fingerprint": "18d7b5dde799315bb54515e956976dc2c782cfafd77ec5af3a9e936fabe140f3", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|18d7b5dde799315bb54515e956976dc2c782cfafd77ec5af3a9e936fabe140f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-felo/.github/workflows/issue-N.yml"}, "region": {"startLine": 158}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 121872, "scanner": "repobility-agent-runtime", "fingerprint": "67cce86229b078e398b96f99858086074a6dfe3b103c206aeb6294f8db9da409", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|67cce86229b078e398b96f99858086074a6dfe3b103c206aeb6294f8db9da409"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-default/.github/workflows/issue-N.yml"}, "region": {"startLine": 154}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 121871, "scanner": "repobility-agent-runtime", "fingerprint": "921b35e3bf9adb49ad8a3451a0680c0a9b8a53d49a877b8f503cc88a74e3c943", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|921b35e3bf9adb49ad8a3451a0680c0a9b8a53d49a877b8f503cc88a74e3c943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/antigravity-gcp/.github/workflows/issue-N.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121870, "scanner": "repobility-dependency-currency", "fingerprint": "e6a9ec535e2a6268e3921e555f04900f22e63d1b36c3947253700c36bd487382", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|e6a9ec535e2a6268e3921e555f04900f22e63d1b36c3947253700c36bd487382", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/gemini-audio-transcriber/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121869, "scanner": "repobility-dependency-currency", "fingerprint": "d5e65117f030e56d882770b56d28747e73bc09bc7f7871826c366ee3137e78de", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|d5e65117f030e56d882770b56d28747e73bc09bc7f7871826c366ee3137e78de", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/gemini-image-describer/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121868, "scanner": "repobility-dependency-currency", "fingerprint": "841444df13c165b32f3ac7e618237be54a7dc46a827fbbc44dbc1cb2df9416ec", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|841444df13c165b32f3ac7e618237be54a7dc46a827fbbc44dbc1cb2df9416ec", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/gemini-deep-researcher/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121866, "scanner": "repobility-dependency-currency", "fingerprint": "42b4e169e92888c9aeec44a277bc93a3290b93eb4b41082530c56abc54ad76bf", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|42b4e169e92888c9aeec44a277bc93a3290b93eb4b41082530c56abc54ad76bf", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/gemini-summary/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121863, "scanner": "repobility-dependency-currency", "fingerprint": "b47b5658838028f82500f132e17bdabd615a5efd59db57e2a850625da0f51b46", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|b47b5658838028f82500f132e17bdabd615a5efd59db57e2a850625da0f51b46", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-gemini-api/.agents/skills/gemini-audio-transcriber/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121862, "scanner": "repobility-dependency-currency", "fingerprint": "37753c95e2cd86ab8f0ed8ee93c39deff09b994cac956901ad78f9815376fa19", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|37753c95e2cd86ab8f0ed8ee93c39deff09b994cac956901ad78f9815376fa19", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-gemini-api/.agents/skills/gemini-image-describer/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121861, "scanner": "repobility-dependency-currency", "fingerprint": "2ce68bd322ad9170aed9b53c70f9f2e0bfc09161e0e00191cd602f566746ada9", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|2ce68bd322ad9170aed9b53c70f9f2e0bfc09161e0e00191cd602f566746ada9", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-gemini-api/.agents/skills/gemini-deep-researcher/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121859, "scanner": "repobility-dependency-currency", "fingerprint": "4b938b8cf68f465a0fdf83025c96a6acf3219f64150bf94f3911b458e6d2caf5", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|4b938b8cf68f465a0fdf83025c96a6acf3219f64150bf94f3911b458e6d2caf5", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-gemini-api/.agents/skills/gemini-summary/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121858, "scanner": "repobility-dependency-currency", "fingerprint": "8372dc52d2d514e40ab5d7c1414ba1a1bd1bd9485ae1fac3bc9b99a6272a1bd6", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|8372dc52d2d514e40ab5d7c1414ba1a1bd1bd9485ae1fac3bc9b99a6272a1bd6", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.agents/skills/gemini-audio-transcriber/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121857, "scanner": "repobility-dependency-currency", "fingerprint": "6cc6625cfd681437dc227033725ce0271e9fc7322282369d8801a807a673dd24", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|6cc6625cfd681437dc227033725ce0271e9fc7322282369d8801a807a673dd24", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.agents/skills/gemini-image-describer/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121856, "scanner": "repobility-dependency-currency", "fingerprint": "01f614364e4ce48becf4ca767ad47014abf213c5604c43961bfa305177d63b08", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|01f614364e4ce48becf4ca767ad47014abf213c5604c43961bfa305177d63b08", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.agents/skills/gemini-deep-researcher/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "warning", "message": {"text": "npm package `@google/genai` is 1 major version(s) behind (>=1.33.0 -> 2.8.0)"}, "properties": {"repobilityId": 121854, "scanner": "repobility-dependency-currency", "fingerprint": "5f1a8fc437efa088d9ceaeca773f83335d47f7af8453e115d087c195b69bce30", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@google/genai", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "2.8.0", "correlation_key": "fp|5f1a8fc437efa088d9ceaeca773f83335d47f7af8453e115d087c195b69bce30", "current_version": ">=1.33.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.agents/skills/gemini-summary/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 121827, "scanner": "repobility-ast-engine", "fingerprint": "fbab73f68663d7566833c05b6088873fecde30181a256103f30c74f4568e289b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fbab73f68663d7566833c05b6088873fecde30181a256103f30c74f4568e289b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/skill-creator/scripts/run_eval.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 121826, "scanner": "repobility-ast-engine", "fingerprint": "bcc5aee1409a51af0d6c7d3ee3ffc16a9aa4134abdc8bf9b31917b38ada594f7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bcc5aee1409a51af0d6c7d3ee3ffc16a9aa4134abdc8bf9b31917b38ada594f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/skill-creator/scripts/package_skill.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 121822, "scanner": "repobility-ast-engine", "fingerprint": "d994cce15a49e7b1e9e092e3c8c1b80b5aa824242855b361035edb7ac9cb0895", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d994cce15a49e7b1e9e092e3c8c1b80b5aa824242855b361035edb7ac9cb0895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/scripts/run_eval.py"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 121821, "scanner": "repobility-ast-engine", "fingerprint": "62bf3529db5a4241fc5e1e279a3f8dec5ade318f720324b4d593f04697cbca7e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|62bf3529db5a4241fc5e1e279a3f8dec5ade318f720324b4d593f04697cbca7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/scripts/package_skill.py"}, "region": {"startLine": 106}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 663 lines (recommend <300)"}, "properties": {"repobilityId": 121795, "scanner": "repobility-core", "fingerprint": "3ab39530bda90500a212de37e1a7f6fdb9c9ec78f42a7de9ee758c869912b810", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|3ab39530bda90500a212de37e1a7f6fdb9c9ec78f42a7de9ee758c869912b810"}}}, {"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 121794, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "CORE_NO_README", "level": "warning", "message": {"text": "No README file found"}, "properties": {"repobilityId": 121793, "scanner": "repobility-core", "fingerprint": "b55c73163757fe6b2364bb829fcd26e87b9d9e7b367dd2a3307a814b02b29cbd", "category": "documentation", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_README", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_readme"}}}, {"ruleId": "GHSA-hm8q-7f3q-5f36", "level": "note", "message": {"text": "hono: GHSA-hm8q-7f3q-5f36"}, "properties": {"repobilityId": 121910, "scanner": "osv-scanner", "fingerprint": "e7eb13d1af738cf9577e9ee541694db8a76e966da2cd1f1814ef5b66ef813024", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44459"], "package": "hono", "rule_id": "GHSA-hm8q-7f3q-5f36", "scanner": "osv-scanner", "correlation_key": "vuln|hono|CVE-2026-44459|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `package_skill` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, else=1, except=1, for=1, if=7, nested_bonus=2."}, "properties": {"repobilityId": 121878, "scanner": "repobility-threat-engine", "fingerprint": "0be6975fa33d571f6b5d6457d47f752d8af700387f5b57ac2a4b31b90819084c", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "package_skill", "breakdown": {"if": 7, "for": 1, "else": 1, "except": 1, "continue": 2, "nested_bonus": 2}, "complexity": 14, "correlation_key": "fp|0be6975fa33d571f6b5d6457d47f752d8af700387f5b57ac2a4b31b90819084c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/skill-creator/scripts/package_skill.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `node-gyp` is minor version(s) behind (^12.2.0 -> 12.4.0)"}, "properties": {"repobilityId": 121865, "scanner": "repobility-dependency-currency", "fingerprint": "99e571f7df4d90905059037937ae788b4068a52b7949f9f6ea93ccf2e44afd72", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "node-gyp", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "12.4.0", "correlation_key": "fp|99e571f7df4d90905059037937ae788b4068a52b7949f9f6ea93ccf2e44afd72", "current_version": "^12.2.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `node-addon-api` is minor version(s) behind (^8.6.0 -> 8.8.0)"}, "properties": {"repobilityId": 121864, "scanner": "repobility-dependency-currency", "fingerprint": "c619408bd1577fa70edf036a8442d9790a5b40119d2cde6e5f91e34ad378344e", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "node-addon-api", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "8.8.0", "correlation_key": "fp|c619408bd1577fa70edf036a8442d9790a5b40119d2cde6e5f91e34ad378344e", "current_version": "^8.6.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 121796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe05be807923ab3a26064a5187f5a1b7d7e40870769f546da2e27b44f9ede62a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "workers/line-bot/src/infrastructure/github/github-issues-client.js", "duplicate_line": 8, "correlation_key": "fp|fe05be807923ab3a26064a5187f5a1b7d7e40870769f546da2e27b44f9ede62a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/src/infrastructure/line/line-api-client.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 121896, "scanner": "repobility-threat-engine", "fingerprint": "4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2"}}}, {"ruleId": "SEC002", "level": "none", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 121891, "scanner": "repobility-threat-engine", "fingerprint": "9461d032ad8c27334f7275a3b1b98593bfff81931bae2cc75d41fdf7905bd9d9", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential", "evidence": {"match": "API_KEY=\"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|14|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/felo-superAgent/scripts/run_style_library.mjs"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 27 more): Same pattern found in 27 additional files. Review if needed."}, "properties": {"repobilityId": 121890, "scanner": "repobility-threat-engine", "fingerprint": "f5458a7240c7747d6901adf6c8e97a83da5bfeef244bf56867076b292ddda811", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 27 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5458a7240c7747d6901adf6c8e97a83da5bfeef244bf56867076b292ddda811", "aggregated_count": 27}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 121889, "scanner": "repobility-threat-engine", "fingerprint": "918595e8ddd1d34db3f876e21a0c35f8bab2da4f2fdf309ab4a3fa07b993d90b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|918595e8ddd1d34db3f876e21a0c35f8bab2da4f2fdf309ab4a3fa07b993d90b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/felo-web-fetch/scripts/run_web_fetch.mjs"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 121888, "scanner": "repobility-threat-engine", "fingerprint": "cac7362f3e9d9d11ba3e2e159c2aa468afe86012cea17cee98a76f098ef464d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cac7362f3e9d9d11ba3e2e159c2aa468afe86012cea17cee98a76f098ef464d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/felo-superAgent/scripts/run_style_library.mjs"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 121887, "scanner": "repobility-threat-engine", "fingerprint": "70ad393520e936b476282a01fcfc5cdc5516887f414ed1b39ed9391ec0e34718", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|70ad393520e936b476282a01fcfc5cdc5516887f414ed1b39ed9391ec0e34718"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/felo-slides/scripts/run_ppt_task.mjs"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 121886, "scanner": "repobility-threat-engine", "fingerprint": "260684795bf2afdc86f315902c265bf0ecbdf41aa73697ff08b95a7d16b6d065", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|260684795bf2afdc86f315902c265bf0ecbdf41aa73697ff08b95a7d16b6d065"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 121885, "scanner": "repobility-threat-engine", "fingerprint": "dba874482865f5311ec3e37ed1b702542ffb6467a55c351126b59d39c8817742", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"\u932f\u8aa4\uff1a\u9700\u8981\u8a2d\u5b9a GEMINI_API_KEY \u74b0\u5883\u8b8a\u6578\u3002\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|14|console.error gemini_api_key"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/gemini-audio-transcriber/src/transcribe.js"}, "region": {"startLine": 142}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 121884, "scanner": "repobility-threat-engine", "fingerprint": "7250c06bb779fe2343f83811c3387d597341f85649f12ef41be6ae3958e27359", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error('ERROR: FELO_API_KEY not set')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|27|console.error error: felo_api_key not set"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/felo-web-fetch/scripts/run_web_fetch.mjs"}, "region": {"startLine": 271}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 121883, "scanner": "repobility-threat-engine", "fingerprint": "8a16a74dfa61992789445e5532a23f7b379787fb82677f9539989ea703869844", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error('ERROR: FELO_API_KEY not set')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|24|console.error error: felo_api_key not set"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/felo-slides/scripts/run_ppt_task.mjs"}, "region": {"startLine": 250}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 121882, "scanner": "repobility-threat-engine", "fingerprint": "cd10728af055af4c202bef01c65f925c52f963a5fd8b91f020e5b72604d67f67", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "PASSWORD='<redacted>'", "reason": "Safe context pattern detected", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/agent-browser/templates/authenticated-session.sh"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 121881, "scanner": "repobility-threat-engine", "fingerprint": "395650f5c2675d6a60b557b0ea91a81ed87f0d9ac76c0fc2d97a3dca883c2d9f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|395650f5c2675d6a60b557b0ea91a81ed87f0d9ac76c0fc2d97a3dca883c2d9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/agent-browser/install.sh"}, "region": {"startLine": 6}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 121880, "scanner": "repobility-threat-engine", "fingerprint": "8d1502acd42cce6119d839e48acbcfd7f61fd37700295976e1fa3a0ac15210ab", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "improve_description", "breakdown": {"if": 8, "or": 1, "and": 2, "for": 4, "else": 1, "ternary": 5, "nested_bonus": 19}, "aggregated": true, "complexity": 40, "correlation_key": "fp|8d1502acd42cce6119d839e48acbcfd7f61fd37700295976e1fa3a0ac15210ab", "aggregated_count": 11}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `linkedom` is patch version(s) behind (^0.18.0 -> 0.18.12)"}, "properties": {"repobilityId": 121867, "scanner": "repobility-dependency-currency", "fingerprint": "ddfb74864b33ddfd78b6fe908cc65530e8155462b68bbc1c714548d2a38af6d9", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "linkedom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.18.12", "correlation_key": "fp|ddfb74864b33ddfd78b6fe908cc65530e8155462b68bbc1c714548d2a38af6d9", "current_version": "^0.18.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/gemini-summary/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `linkedom` is patch version(s) behind (^0.18.0 -> 0.18.12)"}, "properties": {"repobilityId": 121860, "scanner": "repobility-dependency-currency", "fingerprint": "07928a2a520e58462e6039978a6e0ce68f20faecdf29151c9075b58e7e0cecc6", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "linkedom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.18.12", "correlation_key": "fp|07928a2a520e58462e6039978a6e0ce68f20faecdf29151c9075b58e7e0cecc6", "current_version": "^0.18.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-gemini-api/.agents/skills/gemini-summary/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `linkedom` is patch version(s) behind (^0.18.0 -> 0.18.12)"}, "properties": {"repobilityId": 121855, "scanner": "repobility-dependency-currency", "fingerprint": "61690b7bb3ccf2f2622b1e94db0572596b9b5e4e4f134a2a97dbbacbb498f9cf", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "linkedom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.18.12", "correlation_key": "fp|61690b7bb3ccf2f2622b1e94db0572596b9b5e4e4f134a2a97dbbacbb498f9cf", "current_version": "^0.18.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.agents/skills/gemini-summary/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-c2c7-rcm5-vvqj", "level": "error", "message": {"text": "picomatch: GHSA-c2c7-rcm5-vvqj"}, "properties": {"repobilityId": 121920, "scanner": "osv-scanner", "fingerprint": "5c0dac73c29551f00b229f4f9fd14268cbdb69d58886cb8efab28c5966933b4c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33671"], "package": "picomatch", "rule_id": "GHSA-c2c7-rcm5-vvqj", "scanner": "osv-scanner", "correlation_key": "vuln|picomatch|CVE-2026-33671|workers/line-bot/bun.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/bun.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 121900, "scanner": "repobility-threat-engine", "fingerprint": "46cafcc965d882ce312a36b357b1755323f30fee7853e6815751c758fda3dcb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "app.post('/line/webhook', async (c) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|46cafcc965d882ce312a36b357b1755323f30fee7853e6815751c758fda3dcb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/src/presentation/http/line-bot-worker.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 121899, "scanner": "repobility-threat-engine", "fingerprint": "81e44674d6b86bccc0359608325759453dd774518141cd104000827a87176f0d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|81e44674d6b86bccc0359608325759453dd774518141cd104000827a87176f0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/src/presentation/http/line-bot-worker.js"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 121898, "scanner": "repobility-threat-engine", "fingerprint": "348d9df0f8302ad300a957b91068069c7b2de4da20d6f619df218224224b2570", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((error) => `- ${error}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|348d9df0f8302ad300a957b91068069c7b2de4da20d6f619df218224224b2570"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/src/infrastructure/config/worker-name.js"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 121897, "scanner": "repobility-threat-engine", "fingerprint": "66a30fcd5dcbbe4f819484f6377417b91ca4babfeaeabec5b49bc805f5ea797c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((line) => `> ${line}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|66a30fcd5dcbbe4f819484f6377417b91ca4babfeaeabec5b49bc805f5ea797c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/src/domain/line/issue-formatter.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 121895, "scanner": "repobility-threat-engine", "fingerprint": "077ee22c17442b72b11659562435056dd8d3896ff87d6999734813f3c8fd7296", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|077ee22c17442b72b11659562435056dd8d3896ff87d6999734813f3c8fd7296"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-gemini-api/.agents/skills/gemini-audio-transcriber/src/transcribe.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 121894, "scanner": "repobility-threat-engine", "fingerprint": "00c027a3b7d48a05864f7b0d1a4d83af27aab7aba61e1c1b6a88e508b9b089f4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00c027a3b7d48a05864f7b0d1a4d83af27aab7aba61e1c1b6a88e508b9b089f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/gemini-image-describer/src/describe.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 121893, "scanner": "repobility-threat-engine", "fingerprint": "132185344974736e9606089aca3c3712c4c3c8ae12020ccfc442bba10e61af07", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|132185344974736e9606089aca3c3712c4c3c8ae12020ccfc442bba10e61af07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/gemini-audio-transcriber/src/transcribe.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `validate_skill` has cognitive complexity 27 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, if=19, nested_bonus=7."}, "properties": {"repobilityId": 121879, "scanner": "repobility-threat-engine", "fingerprint": "fd324934522809d485ffebccc10428a59df60be3a3967a3390bbc35f407147cf", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 27 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "validate_skill", "breakdown": {"if": 19, "except": 1, "nested_bonus": 7}, "complexity": 27, "correlation_key": "fp|fd324934522809d485ffebccc10428a59df60be3a3967a3390bbc35f407147cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/skill-creator/scripts/quick_validate.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `improve_description` has cognitive complexity 40 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=2, else=1, for=4, if=8, nested_bonus=19, or=1, ternary=5."}, "properties": {"repobilityId": 121877, "scanner": "repobility-threat-engine", "fingerprint": "199eb9e5a15eed28d65e8877c4bb567ecd7c9fe0919d5498ac794f9581f15896", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 40 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "improve_description", "breakdown": {"if": 8, "or": 1, "and": 2, "for": 4, "else": 1, "ternary": 5, "nested_bonus": 19}, "complexity": 40, "correlation_key": "fp|199eb9e5a15eed28d65e8877c4bb567ecd7c9fe0919d5498ac794f9581f15896"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/skill-creator/scripts/improve_description.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/update-comment-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121853, "scanner": "repobility-supply-chain", "fingerprint": "6e25529a5bbdff6e2cf9efdae06341388631b26cb4336a8d6a3a32712544ca2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e25529a5bbdff6e2cf9efdae06341388631b26cb4336a8d6a3a32712544ca2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/default/.github/workflows/issue-N.yml"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/error-handler-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121852, "scanner": "repobility-supply-chain", "fingerprint": "8e63bad73dcb51570a5d5ce6fc1587281960a9883c022c1371d2607752ea0e9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e63bad73dcb51570a5d5ce6fc1587281960a9883c022c1371d2607752ea0e9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/default/.github/workflows/issue-N.yml"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121851, "scanner": "repobility-supply-chain", "fingerprint": "9b11ca99c737e7c5299c58f3834eec884b7f9b2ba2a3fcd05e5b9d23bc50be63", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b11ca99c737e7c5299c58f3834eec884b7f9b2ba2a3fcd05e5b9d23bc50be63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/default/.github/workflows/issue-N.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 121850, "scanner": "repobility-supply-chain", "fingerprint": "7505a0ef1aefe481f0909559f4dc2262f07ddebf6855ef7aec6346e8cf253984", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7505a0ef1aefe481f0909559f4dc2262f07ddebf6855ef7aec6346e8cf253984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/default/.github/workflows/issue-N.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/update-comment-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121849, "scanner": "repobility-supply-chain", "fingerprint": "615f7f071891e3eabf0f4f6323d239fcb31ce488b724471802370b22eb4b16c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|615f7f071891e3eabf0f4f6323d239fcb31ce488b724471802370b22eb4b16c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-default/.github/workflows/issue-N.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/error-handler-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121848, "scanner": "repobility-supply-chain", "fingerprint": "94b0bf69a87e6478db52c0f4fe60813ee48cfb7469fccc9ffbb9791bb5c5c41b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94b0bf69a87e6478db52c0f4fe60813ee48cfb7469fccc9ffbb9791bb5c5c41b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-default/.github/workflows/issue-N.yml"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/commit-push-issue-branch-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121847, "scanner": "repobility-supply-chain", "fingerprint": "9fbbb9413152be47740792abd6371ab820aea32ea855ec972a9aa58512392e0e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fbbb9413152be47740792abd6371ab820aea32ea855ec972a9aa58512392e0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-default/.github/workflows/issue-N.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121846, "scanner": "repobility-supply-chain", "fingerprint": "2be09285ed4cb0e82152b8ea74308624251042d6e719e99e441d14ed0f910241", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2be09285ed4cb0e82152b8ea74308624251042d6e719e99e441d14ed0f910241"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-default/.github/workflows/issue-N.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 121845, "scanner": "repobility-supply-chain", "fingerprint": "b6318653a66493e0d65f06318e51237ea1be6f221e377446697b203c6c97f862", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6318653a66493e0d65f06318e51237ea1be6f221e377446697b203c6c97f862"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/codex-default/.github/workflows/issue-N.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/update-comment-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121844, "scanner": "repobility-supply-chain", "fingerprint": "af6381bd87771cfb5a316afe23344ff79fb1546657aeada5450882cb5d30ea14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af6381bd87771cfb5a316afe23344ff79fb1546657aeada5450882cb5d30ea14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/gemini-nanobanana/.github/workflows/issue-N.yml"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/error-handler-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121843, "scanner": "repobility-supply-chain", "fingerprint": "0c0c92923e29d208d98a8c0a83eb127e8d5c89cd87ddfc70a865aafffd0c402e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c0c92923e29d208d98a8c0a83eb127e8d5c89cd87ddfc70a865aafffd0c402e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/gemini-nanobanana/.github/workflows/issue-N.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/commit-push-issue-branch-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121842, "scanner": "repobility-supply-chain", "fingerprint": "b8d10d5a87b10bb07587e249cfa2d717fd06461189040915a0c8899997e1b910", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8d10d5a87b10bb07587e249cfa2d717fd06461189040915a0c8899997e1b910"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/gemini-nanobanana/.github/workflows/issue-N.yml"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 121841, "scanner": "repobility-supply-chain", "fingerprint": "64722cf1be81784c8acf3ecca7c67995f291acc2e89a187a15a3e2ad4a4341ed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64722cf1be81784c8acf3ecca7c67995f291acc2e89a187a15a3e2ad4a4341ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/gemini-nanobanana/.github/workflows/issue-N.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121840, "scanner": "repobility-supply-chain", "fingerprint": "8060da1fc0b8679b444e94f5fa2d794e189fa1a47417c09fae7ba734f7a5a48d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8060da1fc0b8679b444e94f5fa2d794e189fa1a47417c09fae7ba734f7a5a48d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/gemini-nanobanana/.github/workflows/issue-N.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 121839, "scanner": "repobility-supply-chain", "fingerprint": "5e1cb09b652d87aa010559f3d158646e00843b4f3e22b86f1eb3847e93e23f29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e1cb09b652d87aa010559f3d158646e00843b4f3e22b86f1eb3847e93e23f29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/gemini-nanobanana/.github/workflows/issue-N.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/update-comment-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121838, "scanner": "repobility-supply-chain", "fingerprint": "86efb86cc8cb2ea0e864e4d0a0d0231434e63cfd9841af5d77c8fb6ca8615491", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86efb86cc8cb2ea0e864e4d0a0d0231434e63cfd9841af5d77c8fb6ca8615491"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.github/workflows/issue-N.yml"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/error-handler-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121837, "scanner": "repobility-supply-chain", "fingerprint": "3b2c6ce7e13702efbd97e2b76d74c132a8941449ccef49536fd658d7f801056d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b2c6ce7e13702efbd97e2b76d74c132a8941449ccef49536fd658d7f801056d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.github/workflows/issue-N.yml"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/commit-push-issue-branch-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121836, "scanner": "repobility-supply-chain", "fingerprint": "2879e29769204950469cf5b5f03dd9f99bd1a0a387aa261e0136ebee17e11666", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2879e29769204950469cf5b5f03dd9f99bd1a0a387aa261e0136ebee17e11666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.github/workflows/issue-N.yml"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121835, "scanner": "repobility-supply-chain", "fingerprint": "eb090efa7847d354b6b7b3ebf210709818150c5a34f35216452f5d6a9306077e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb090efa7847d354b6b7b3ebf210709818150c5a34f35216452f5d6a9306077e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.github/workflows/issue-N.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 121834, "scanner": "repobility-supply-chain", "fingerprint": "4b70a82a12eb2c10ddea7d884ea4baaa7d0b6e8dfffc2edd22e31ef1f6b7f1c1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b70a82a12eb2c10ddea7d884ea4baaa7d0b6e8dfffc2edd22e31ef1f6b7f1c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-gemini-api/.github/workflows/issue-N.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/update-comment-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121833, "scanner": "repobility-supply-chain", "fingerprint": "1ff5dac0e12661d3fc1653b1d88bc3eb6bffe3a3814d4f2ebbe8fd2080cd3f4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ff5dac0e12661d3fc1653b1d88bc3eb6bffe3a3814d4f2ebbe8fd2080cd3f4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-felo/.github/workflows/issue-N.yml"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/error-handler-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121832, "scanner": "repobility-supply-chain", "fingerprint": "2916c010484996575a2b0a73bf98c5893753b46a475234fd75da082922ae022f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2916c010484996575a2b0a73bf98c5893753b46a475234fd75da082922ae022f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-felo/.github/workflows/issue-N.yml"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `duotify/GitHubClawToolkit/actions/commit-push-issue-branch-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 121831, "scanner": "repobility-supply-chain", "fingerprint": "f0f3ae2fde40564b466ad32997d2c78d081d9f655dc4c1d88cb54219341ae382", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0f3ae2fde40564b466ad32997d2c78d081d9f655dc4c1d88cb54219341ae382"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-felo/.github/workflows/issue-N.yml"}, "region": {"startLine": 178}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 121830, "scanner": "repobility-supply-chain", "fingerprint": "ae0486b439af4eb4b040602bc64b69361beab0d1ce10f8ab78e38e329831ddac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae0486b439af4eb4b040602bc64b69361beab0d1ce10f8ab78e38e329831ddac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-felo/.github/workflows/issue-N.yml"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 121829, "scanner": "repobility-supply-chain", "fingerprint": "1747b7dfdf4774a3bc07ab4eea403d70b03156bba0fe91a727ad4eccf07dbbd8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1747b7dfdf4774a3bc07ab4eea403d70b03156bba0fe91a727ad4eccf07dbbd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "templates/copilot-felo/.github/workflows/issue-N.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /line/webhook has no auth"}, "properties": {"repobilityId": 121828, "scanner": "repobility-route-auth", "fingerprint": "94b1875e1cc0b0b77818059ea55bb9b5181860f822afb0e4845c65df57002d32", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|94b1875e1cc0b0b77818059ea55bb9b5181860f822afb0e4845c65df57002d32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "workers/line-bot/src/presentation/http/line-bot-worker.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 121825, "scanner": "repobility-ast-engine", "fingerprint": "fe3259112ea81e946a9ac5ab66ea81ef785df5604063c45b811363c895b9b5f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe3259112ea81e946a9ac5ab66ea81ef785df5604063c45b811363c895b9b5f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.path` used but never assigned in __init__"}, "properties": {"repobilityId": 121824, "scanner": "repobility-ast-engine", "fingerprint": "da8cfcdc6cbb2f3c5e32f47db8f6e94a1746d335a7051f8c55547541be0dfcb6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da8cfcdc6cbb2f3c5e32f47db8f6e94a1746d335a7051f8c55547541be0dfcb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 121820, "scanner": "repobility-ast-engine", "fingerprint": "380ddb5c3a94305962d3a3281e5efc8c13fb80f759eb1fd1fd12b3c50a273947", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|380ddb5c3a94305962d3a3281e5efc8c13fb80f759eb1fd1fd12b3c50a273947"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 374}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.headers` used but never assigned in __init__"}, "properties": {"repobilityId": 121819, "scanner": "repobility-ast-engine", "fingerprint": "73f6107e5a303fb1f87642affb5552fcc2f47dbfd1b9fc76a69ad9944bb84269", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|73f6107e5a303fb1f87642affb5552fcc2f47dbfd1b9fc76a69ad9944bb84269"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 363}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.wfile` used but never assigned in __init__"}, "properties": {"repobilityId": 121818, "scanner": "repobility-ast-engine", "fingerprint": "943de514a1fc5775a78340831f88068a84f36460d4156f31c94142afaddc1131", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|943de514a1fc5775a78340831f88068a84f36460d4156f31c94142afaddc1131"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 378}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 121817, "scanner": "repobility-ast-engine", "fingerprint": "7d0562df3ee7c45f8afe903fbb8262c75bd64c025b3d3b1dbc12d14ce6cb3ff4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7d0562df3ee7c45f8afe903fbb8262c75bd64c025b3d3b1dbc12d14ce6cb3ff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 371}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.rfile` used but never assigned in __init__"}, "properties": {"repobilityId": 121816, "scanner": "repobility-ast-engine", "fingerprint": "53e09347c59965cc5c66cf76f2e98b166a5a7a2361872e6a097fd3cc80b6c3e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|53e09347c59965cc5c66cf76f2e98b166a5a7a2361872e6a097fd3cc80b6c3e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 364}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_error` used but never assigned in __init__"}, "properties": {"repobilityId": 121815, "scanner": "repobility-ast-engine", "fingerprint": "28381f9233c9c5c1371d735c7951ffedc3457c7604bbd1188bbcdeafbee2198a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|28381f9233c9c5c1371d735c7951ffedc3457c7604bbd1188bbcdeafbee2198a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 380}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.end_headers` used but never assigned in __init__"}, "properties": {"repobilityId": 121814, "scanner": "repobility-ast-engine", "fingerprint": "68a4a565377a1e65254cc613f15116418d29e6f59a2a6e49943c71683a2a7830", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|68a4a565377a1e65254cc613f15116418d29e6f59a2a6e49943c71683a2a7830"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 121813, "scanner": "repobility-ast-engine", "fingerprint": "27fe0f979899d276b48b1cd3a88dd17f550183d4804770e3691aa5958513f994", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|27fe0f979899d276b48b1cd3a88dd17f550183d4804770e3691aa5958513f994"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 376}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 121812, "scanner": "repobility-ast-engine", "fingerprint": "267c7d7b2aba56c43e3c96e83251548f1d9e0995771fa09f783bf37418982d99", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|267c7d7b2aba56c43e3c96e83251548f1d9e0995771fa09f783bf37418982d99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 375}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.path` used but never assigned in __init__"}, "properties": {"repobilityId": 121811, "scanner": "repobility-ast-engine", "fingerprint": "2b0da5982d5f1cedf5edfdfb6644bc517f5eccf441d5733bbd7ac417f73c2ff8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2b0da5982d5f1cedf5edfdfb6644bc517f5eccf441d5733bbd7ac417f73c2ff8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 362}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.wfile` used but never assigned in __init__"}, "properties": {"repobilityId": 121810, "scanner": "repobility-ast-engine", "fingerprint": "bfd5ecc42e28780c3d5d0178eda0450302ef2ac924632e2e5237c02ba1f412f8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bfd5ecc42e28780c3d5d0178eda0450302ef2ac924632e2e5237c02ba1f412f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 357}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_error` used but never assigned in __init__"}, "properties": {"repobilityId": 121809, "scanner": "repobility-ast-engine", "fingerprint": "74d66c31fb58e78bcd5776560d59115ea4fd0d4cbcb3582db2ad70bb5e659be6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|74d66c31fb58e78bcd5776560d59115ea4fd0d4cbcb3582db2ad70bb5e659be6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 359}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.end_headers` used but never assigned in __init__"}, "properties": {"repobilityId": 121808, "scanner": "repobility-ast-engine", "fingerprint": "d15976453295c8e2b74d9e72593f976df19093c72c176ebfb3a94078d18d8f2a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d15976453295c8e2b74d9e72593f976df19093c72c176ebfb3a94078d18d8f2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 356}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 121807, "scanner": "repobility-ast-engine", "fingerprint": "c9157050fda4e8aff0c75bbceb074ae381ae25cf8268b96218ee89e94898523e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c9157050fda4e8aff0c75bbceb074ae381ae25cf8268b96218ee89e94898523e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 121806, "scanner": "repobility-ast-engine", "fingerprint": "ebbe17e0348a775def6aa25057bf82b8c9f23f225b068a38019629617dd8314f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebbe17e0348a775def6aa25057bf82b8c9f23f225b068a38019629617dd8314f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 354}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 121805, "scanner": "repobility-ast-engine", "fingerprint": "d8677a8b707f6a460db21cebacf968217f7357a250ba41ef690397af5ca2e26e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d8677a8b707f6a460db21cebacf968217f7357a250ba41ef690397af5ca2e26e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 353}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.wfile` used but never assigned in __init__"}, "properties": {"repobilityId": 121804, "scanner": "repobility-ast-engine", "fingerprint": "2f1773b949928129825430829d816fb2c07341f13dc39d9b3c667874328d0cfc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2f1773b949928129825430829d816fb2c07341f13dc39d9b3c667874328d0cfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 348}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.path` used but never assigned in __init__"}, "properties": {"repobilityId": 121803, "scanner": "repobility-ast-engine", "fingerprint": "8c8358184bf563a55203fb1148dee1b93fa9734203fce811cc1a9f14d8bea417", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c8358184bf563a55203fb1148dee1b93fa9734203fce811cc1a9f14d8bea417"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 349}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.end_headers` used but never assigned in __init__"}, "properties": {"repobilityId": 121802, "scanner": "repobility-ast-engine", "fingerprint": "8748864fdef63ad10895d2f224ba09fb83f41fe920731f3c2e294c1c941b7865", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8748864fdef63ad10895d2f224ba09fb83f41fe920731f3c2e294c1c941b7865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 121801, "scanner": "repobility-ast-engine", "fingerprint": "e652109398cb98cf3da6293600ab1094214e847d20160c9d5fc28002a29babe6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e652109398cb98cf3da6293600ab1094214e847d20160c9d5fc28002a29babe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_header` used but never assigned in __init__"}, "properties": {"repobilityId": 121800, "scanner": "repobility-ast-engine", "fingerprint": "5ce8f213939da5b5a9bc1fffd884ced5e28e9c9ab988c17ff644ccde0a1785e8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5ce8f213939da5b5a9bc1fffd884ced5e28e9c9ab988c17ff644ccde0a1785e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 345}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.send_response` used but never assigned in __init__"}, "properties": {"repobilityId": 121799, "scanner": "repobility-ast-engine", "fingerprint": "fe4c45a533bf0e1470c7c1dd325120ea60ffaaea8a0a65988a5ec79ec6979b01", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fe4c45a533bf0e1470c7c1dd325120ea60ffaaea8a0a65988a5ec79ec6979b01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "`self.path` used but never assigned in __init__"}, "properties": {"repobilityId": 121798, "scanner": "repobility-ast-engine", "fingerprint": "fd862f18c5f9e43a2ed753dfe045ba4a4950eff7a6367b138813aafe03b206f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|fd862f18c5f9e43a2ed753dfe045ba4a4950eff7a6367b138813aafe03b206f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `html` used but not imported"}, "properties": {"repobilityId": 121823, "scanner": "repobility-ast-engine", "fingerprint": "207d1fec8c62a01c8c22780c6026cb8a4e1de758721c87d1806a15292ccdabf4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|207d1fec8c62a01c8c22780c6026cb8a4e1de758721c87d1806a15292ccdabf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "Missing import: `html` used but not imported"}, "properties": {"repobilityId": 121797, "scanner": "repobility-ast-engine", "fingerprint": "2b22ae24eceb50b478de92c5d25d5ab6374afe3d7d59b5fafb3bc754b65788b1", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2b22ae24eceb50b478de92c5d25d5ab6374afe3d7d59b5fafb3bc754b65788b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "skills/skill-creator/eval-viewer/generate_review.py"}, "region": {"startLine": 343}}}]}]}]}