{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Bind local agent bridges to 127.0.0.1 by default. If remote access is required, require a bearer token or mTLS, enforce origin/CSRF checks for browser clients, and document the threat model."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "Handle QuotaExceededError explicitly, show a toast or error state, and guide the user to export/clear old local data. Log non-quota failures for diagnostics."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 24 more): Same pattern found in 24 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.GEMINI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`,", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.GEMINI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GEMINI_API_KEY }` lets a PR from any fork exfiltrate the secr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/758"}, "properties": {"repository": "garrytan/gstack", "repoUrl": "https://github.com/garrytan/gstack", "branch": "main"}, "results": [{"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 63094, "scanner": "repobility-agent-runtime", "fingerprint": "765b8750fcb628053a73f030b7a59186841aacc4dc41faf09dffbaebfbef975c", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|765b8750fcb628053a73f030b7a59186841aacc4dc41faf09dffbaebfbef975c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/socks-bridge.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 63093, "scanner": "repobility-agent-runtime", "fingerprint": "e54bd72845050f26df1c64fdcede3e566ff9a3b006a4c1a789ed798a56d31c41", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|e54bd72845050f26df1c64fdcede3e566ff9a3b006a4c1a789ed798a56d31c41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/browser-manager.ts"}, "region": {"startLine": 1379}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 63076, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 63072, "scanner": "repobility-threat-engine", "fingerprint": "a3304942ac7c6491e2a314612ba1e6f341e02ef3ba94d74b3343b48d13e6486e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"user@example.com\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3304942ac7c6491e2a314612ba1e6f341e02ef3ba94d74b3343b48d13e6486e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ios-qa/daemon/src/types.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 63070, "scanner": "repobility-threat-engine", "fingerprint": "bc364368ce425a622a00ec5cd9cb1dcf6f2fc4d098354b2cc7c11bd6727a1ee2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "ive: true });\n  const tmp = `${stateFile}.tmp.${process.pid}.${Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bc364368ce425a622a00ec5cd9cb1dcf6f2fc4d098354b2cc7c11bd6727a1ee2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/src/daemon-state.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63064, "scanner": "repobility-threat-engine", "fingerprint": "407551f8284954904f1a399bbd9e1670744ebd7d873c4a576a1cf07e240a9abc", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|make-pdf/src/pdftotext.ts|263|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "make-pdf/src/pdftotext.ts"}, "region": {"startLine": 263}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63063, "scanner": "repobility-threat-engine", "fingerprint": "08b48743a238542c279d4aac48a2924daccde6a1e17ad3e87b25e73dee415246", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|84|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ios-qa/scripts/gen-accessors.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 63062, "scanner": "repobility-threat-engine", "fingerprint": "5bc38e33b39c3fe72715acf6f4b1801def1830082b026b5e1b91ac10d59df6ec", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|61|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser-skills/hackernews-frontpage/script.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 63049, "scanner": "repobility-threat-engine", "fingerprint": "483756b555a1f1ec629f32dfc5ec914f2a962715bc6a9654487f9dc3717ea4a5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|483756b555a1f1ec629f32dfc5ec914f2a962715bc6a9654487f9dc3717ea4a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ios-qa/daemon/src/single-instance.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 63048, "scanner": "repobility-threat-engine", "fingerprint": "f12c49e41bef6cecd20f92764851851be456282d88f42205ec527ec2058986d7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f12c49e41bef6cecd20f92764851851be456282d88f42205ec527ec2058986d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/domain-skill-commands.ts"}, "region": {"startLine": 195}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63092, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b2a125c5b26b859b4facd5a7a6edde1e8656166592e748500a65387fa706222", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/gen-skill-docs.ts", "duplicate_line": 89, "correlation_key": "fp|2b2a125c5b26b859b4facd5a7a6edde1e8656166592e748500a65387fa706222"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/resolvers/codex-helpers.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63091, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1a4661e4bfd2fc2c9a58dcb7c3929beee60fe5b892a9aa0d29a535c0aa69375", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hosts/cursor.ts", "duplicate_line": 24, "correlation_key": "fp|d1a4661e4bfd2fc2c9a58dcb7c3929beee60fe5b892a9aa0d29a535c0aa69375"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hosts/slate.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63090, "scanner": "repobility-ai-code-hygiene", "fingerprint": "039899398c5500ab3b13c6be8109b69d5eb3afa0f799ff75781480c7b4b75649", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hosts/gbrain.ts", "duplicate_line": 25, "correlation_key": "fp|039899398c5500ab3b13c6be8109b69d5eb3afa0f799ff75781480c7b4b75649"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hosts/openclaw.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63089, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f664bd7fdce9cbec4e902a574d5e54b8cb4479efd5b3f939d412a04c8f4e5e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hosts/cursor.ts", "duplicate_line": 24, "correlation_key": "fp|5f664bd7fdce9cbec4e902a574d5e54b8cb4479efd5b3f939d412a04c8f4e5e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hosts/kiro.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63088, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f7e3d2388bfde5c9ccbebbc687c65e50343d7b2028ae5010ef052eca8a8db7e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hosts/gbrain.ts", "duplicate_line": 39, "correlation_key": "fp|6f7e3d2388bfde5c9ccbebbc687c65e50343d7b2028ae5010ef052eca8a8db7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hosts/hermes.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63087, "scanner": "repobility-ai-code-hygiene", "fingerprint": "684dc48f712d0202042a2e1926258aa35e66a273a24ae1137c0bbe1d8082a212", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "hosts/claude/hooks/question-log-hook.ts", "duplicate_line": 2, "correlation_key": "fp|684dc48f712d0202042a2e1926258aa35e66a273a24ae1137c0bbe1d8082a212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hosts/claude/hooks/question-preference-hook.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63086, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc37aa7169022af66535a53901320ad8a98e9d7faa56fbaaf0927103b0d044ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "extension/content.js", "duplicate_line": 120, "correlation_key": "fp|fc37aa7169022af66535a53901320ad8a98e9d7faa56fbaaf0927103b0d044ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/inspector.js"}, "region": {"startLine": 141}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ef60b882531af61213aa41036071209e0bcf805863e14dead60d8711293adf09", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "design/src/check.ts", "duplicate_line": 8, "correlation_key": "fp|ef60b882531af61213aa41036071209e0bcf805863e14dead60d8711293adf09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/src/memory.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b437bbf119cdde1d46533cb2ba6a1efe598bc3be68367a7cbd2261dbd5ff89b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "design/src/evolve.ts", "duplicate_line": 41, "correlation_key": "fp|b437bbf119cdde1d46533cb2ba6a1efe598bc3be68367a7cbd2261dbd5ff89b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/src/iterate.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63083, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ffc2d57a0981028572cb640b821417ca0d0c8665d7fe49076ba24ba055d3aa1e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "design/src/generate.ts", "duplicate_line": 27, "correlation_key": "fp|ffc2d57a0981028572cb640b821417ca0d0c8665d7fe49076ba24ba055d3aa1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/src/iterate.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63082, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0258afdfcef2925bf8c971e7b8c1f49b39f093c6c636ba499a1bac0008e289d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "design/src/evolve.ts", "duplicate_line": 42, "correlation_key": "fp|0258afdfcef2925bf8c971e7b8c1f49b39f093c6c636ba499a1bac0008e289d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/src/generate.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63081, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf93d1fe0c5c6aad1e8fbffc130c71e8014a2f9c592c457c5a8709afdccda7d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "design/src/check.ts", "duplicate_line": 12, "correlation_key": "fp|cf93d1fe0c5c6aad1e8fbffc130c71e8014a2f9c592c457c5a8709afdccda7d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/src/evolve.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63080, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1296da568fac7186405eaca767bf217dc6c0be45ecf7b0e77ba55aec20177f05", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "design/src/check.ts", "duplicate_line": 10, "correlation_key": "fp|1296da568fac7186405eaca767bf217dc6c0be45ecf7b0e77ba55aec20177f05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/src/diff.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9cf513e09cf8063f6d007b82236ade43f7697acaac42d2f4b067e8641f60c6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "design/src/check.ts", "duplicate_line": 13, "correlation_key": "fp|a9cf513e09cf8063f6d007b82236ade43f7697acaac42d2f4b067e8641f60c6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/src/design-to-code.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63078, "scanner": "repobility-ai-code-hygiene", "fingerprint": "981880c2c201742e0bb911bc232a63c8564590b63bbc8d862d3d74a899374368", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browse/src/browse-client.ts", "duplicate_line": 1, "correlation_key": "fp|981880c2c201742e0bb911bc232a63c8564590b63bbc8d862d3d74a899374368"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser-skills/hackernews-frontpage/_lib/browse-client.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63077, "scanner": "repobility-ai-code-hygiene", "fingerprint": "08a62dade92f682b681dda2a87c6b600d41acf29c1e288d9d717ae223565f5c5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "browse/src/pty-session-cookie.ts", "duplicate_line": 19, "correlation_key": "fp|08a62dade92f682b681dda2a87c6b600d41acf29c1e288d9d717ae223565f5c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/sse-session-cookie.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 63075, "scanner": "repobility-threat-engine", "fingerprint": "baa4c15cfd47e7c852128d466710e8b1e03435ed1e3695788114bac46c019682", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|baa4c15cfd47e7c852128d466710e8b1e03435ed1e3695788114bac46c019682"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/preflight-agent-sdk.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 63074, "scanner": "repobility-threat-engine", "fingerprint": "d3e84f16e29092ccdcdf74dafc72641ade7151823d6f4fa67e8e8668e8a1c5ab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3e84f16e29092ccdcdf74dafc72641ade7151823d6f4fa67e8e8668e8a1c5ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/capture-baseline.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 63069, "scanner": "repobility-threat-engine", "fingerprint": "501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|501876d43fbaf15c6d4055194dcce53c187c4dbbef78a664b67e46162788cb51"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 63068, "scanner": "repobility-threat-engine", "fingerprint": "7785ebec96ee695e2a712b64f16f612b4ae897d060bdd932a3853fdfc484afad", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error(\"No API key found. Set OPENAI_API_KEY or save to ~/.gstack/openai.json\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|design/prototype.ts|1|console.error no api key found. set openai_api_key or save to /.gstack/openai.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/prototype.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 63065, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 63061, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63060, "scanner": "repobility-threat-engine", "fingerprint": "1da1d78af614edee8b4c731e1b5f5f67d791adae383b5928d94548b99608b1f6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1da1d78af614edee8b4c731e1b5f5f67d791adae383b5928d94548b99608b1f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/security-sidecar-client.ts"}, "region": {"startLine": 217}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63059, "scanner": "repobility-threat-engine", "fingerprint": "d36a52e3ee919fa2c66bad7e52f1ba29e36aa7e57fe46a6a07d48e234000d9ed", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d36a52e3ee919fa2c66bad7e52f1ba29e36aa7e57fe46a6a07d48e234000d9ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/sanitize.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63058, "scanner": "repobility-threat-engine", "fingerprint": "fd6dda1d53878d71b404359698a24f4b90edcb9034e8f8a0321b2f2522f2a0b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd6dda1d53878d71b404359698a24f4b90edcb9034e8f8a0321b2f2522f2a0b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/proxy-config.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 63057, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 63053, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 63047, "scanner": "repobility-threat-engine", "fingerprint": "10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|10405ed5972d0163fa5681e2bb04cbe673746353d2f755e6d028c473b94466e9", "aggregated_count": 11}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 63046, "scanner": "repobility-threat-engine", "fingerprint": "a5bc9f85d751fd6982ea9bef1879e0711167c0a920030b803ac94659cac7af2b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5bc9f85d751fd6982ea9bef1879e0711167c0a920030b803ac94659cac7af2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/prototype.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 63045, "scanner": "repobility-threat-engine", "fingerprint": "59fc422f1118f92fc23292a2cf07fac7d97d7180d6e1e219762bf3a7890acfdf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59fc422f1118f92fc23292a2cf07fac7d97d7180d6e1e219762bf3a7890acfdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/terminal-agent-control.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 63044, "scanner": "repobility-threat-engine", "fingerprint": "db72be088a49252963856b38d0ea8f05702f611fae962e3b2ff1e212b0b9c5ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|db72be088a49252963856b38d0ea8f05702f611fae962e3b2ff1e212b0b9c5ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/domain-skill-commands.ts"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 63041, "scanner": "repobility-threat-engine", "fingerprint": "611a3b5d0fdc0116906e1532f1881f82eb6e833296cc6aefa3f08bcec084668a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|611a3b5d0fdc0116906e1532f1881f82eb6e833296cc6aefa3f08bcec084668a", "aggregated_count": 24}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63040, "scanner": "repobility-threat-engine", "fingerprint": "123057ee32698b1a25bb7440fa490404705754295f8ee629a4d1a65269db3827", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|123057ee32698b1a25bb7440fa490404705754295f8ee629a4d1a65269db3827"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/find-browse.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63039, "scanner": "repobility-threat-engine", "fingerprint": "426fe5c77b324f46fbe9cd473529c53a8d9c3168794f91a06c203cf19ff33ef2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|426fe5c77b324f46fbe9cd473529c53a8d9c3168794f91a06c203cf19ff33ef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/file-permissions.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63038, "scanner": "repobility-threat-engine", "fingerprint": "ab067e026f9e3abef6b85dda49618da295c2eab971b45be003471373b87df6c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ab067e026f9e3abef6b85dda49618da295c2eab971b45be003471373b87df6c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/config.ts"}, "region": {"startLine": 203}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 63037, "scanner": "repobility-threat-engine", "fingerprint": "384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|384b13d01eca021cad8caa867cbe69ee4fc1353f389030e2ca3b6fe8412f11af"}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 63033, "scanner": "repobility-threat-engine", "fingerprint": "87a25b5d2136cb25a9c0e8ca888d0ef9def52d4db675882cc34d89f0fea209d1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|87a25b5d2136cb25a9c0e8ca888d0ef9def52d4db675882cc34d89f0fea209d1", "aggregated_count": 20}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63032, "scanner": "repobility-threat-engine", "fingerprint": "20f7d2946bea573cfb5a39b1055b8927d6b597021810aa1d23f1052adc68390e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20f7d2946bea573cfb5a39b1055b8927d6b597021810aa1d23f1052adc68390e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/cdp-bridge.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63031, "scanner": "repobility-threat-engine", "fingerprint": "4037d17e963f76effc996959317705359b73c1701569c96ec9627bc51326ccfd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4037d17e963f76effc996959317705359b73c1701569c96ec9627bc51326ccfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/browser-skill-write.ts"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63030, "scanner": "repobility-threat-engine", "fingerprint": "20bf74f7ee6fc30d96b5d67edab6cb6ba6f4f4f90aeb536a7eb161b4008a40a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|20bf74f7ee6fc30d96b5d67edab6cb6ba6f4f4f90aeb536a7eb161b4008a40a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/browse-client.ts"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63029, "scanner": "repobility-threat-engine", "fingerprint": "bca2d9cf81f186bceecde6160af762e4f64f00a92e729fabd21f0114ff27fcd4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bca2d9cf81f186bceecde6160af762e4f64f00a92e729fabd21f0114ff27fcd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ios-qa/daemon/src/proxy.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63028, "scanner": "repobility-threat-engine", "fingerprint": "0d19ea1f7646a9a2c608c9474d5875ad4e59ffc2bc9f94865b3dd5f5deae451c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d19ea1f7646a9a2c608c9474d5875ad4e59ffc2bc9f94865b3dd5f5deae451c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/proxy-config.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 63027, "scanner": "repobility-threat-engine", "fingerprint": "62867965e4cc04e9dbb06e9adf82e51869a33cbcc27363ac683f325343c532b9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62867965e4cc04e9dbb06e9adf82e51869a33cbcc27363ac683f325343c532b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/activity.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 63026, "scanner": "repobility-threat-engine", "fingerprint": "4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4a4f0807e4b2a602904c2c23d95abb6f9e09448ebf29c9e0a18b9da6a89476f2"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63120, "scanner": "repobility-supply-chain", "fingerprint": "77e3436c5d63b547db14cfa2cef452f14370437ab672c8b7097697f92a80cb38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77e3436c5d63b547db14cfa2cef452f14370437ab672c8b7097697f92a80cb38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-image.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rhysd/actionlint` pinned to mutable ref `@v1.7.11`: `uses: rhysd/actionlint@v1.7.11` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63119, "scanner": "repobility-supply-chain", "fingerprint": "9d6688b73838cb7be7f8920e3b5cc40b9f483aca6f5163e30dcfeb6bf60614c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9d6688b73838cb7be7f8920e3b5cc40b9f483aca6f5163e30dcfeb6bf60614c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actionlint.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63118, "scanner": "repobility-supply-chain", "fingerprint": "7ddaac59bdbc22492396dac6ac73ee2cc16997025485c1e90f341c9fa62ab77a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ddaac59bdbc22492396dac6ac73ee2cc16997025485c1e90f341c9fa62ab77a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/actionlint.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63117, "scanner": "repobility-supply-chain", "fingerprint": "d11d42c3269ebd0002c8ad4d0b6a26b3bcd67ddaf32e479eae3a05561031dc6f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d11d42c3269ebd0002c8ad4d0b6a26b3bcd67ddaf32e479eae3a05561031dc6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/make-pdf-gate.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63116, "scanner": "repobility-supply-chain", "fingerprint": "111a144330eade217a3918bace1638a1bac6d98cbc04a42ca66bf034d48b54cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|111a144330eade217a3918bace1638a1bac6d98cbc04a42ca66bf034d48b54cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/make-pdf-gate.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63115, "scanner": "repobility-supply-chain", "fingerprint": "520a9cb001a930aeb7f750505f25a43931bb8c54e728d99d2b17d279dad2f55e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|520a9cb001a930aeb7f750505f25a43931bb8c54e728d99d2b17d279dad2f55e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals-periodic.yml"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63114, "scanner": "repobility-supply-chain", "fingerprint": "375f919fcfd966de993b262ad5dec32c49da2e35f3582187373d17aacda64378", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|375f919fcfd966de993b262ad5dec32c49da2e35f3582187373d17aacda64378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals-periodic.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63113, "scanner": "repobility-supply-chain", "fingerprint": "e4589e0a92ce7b653b0aeee1fba1cd3c81a05bb485aa0a223a2ee53e9643bfb9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4589e0a92ce7b653b0aeee1fba1cd3c81a05bb485aa0a223a2ee53e9643bfb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals-periodic.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v1`: `uses: oven-sh/setup-bun@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63112, "scanner": "repobility-supply-chain", "fingerprint": "723c21243ddad693909aacef2cd6559e6bbfeae84b295b39ff33ee8c62a21049", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|723c21243ddad693909aacef2cd6559e6bbfeae84b295b39ff33ee8c62a21049"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-free-tests.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63111, "scanner": "repobility-supply-chain", "fingerprint": "65d57bd0aba29e1d323049401e9baa8309d5854ec3184c27cab2e3e68d8096d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65d57bd0aba29e1d323049401e9baa8309d5854ec3184c27cab2e3e68d8096d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-free-tests.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63110, "scanner": "repobility-supply-chain", "fingerprint": "e9ce9e390fc404fb13cf10730cf1eec4b0315087f62c11ddec6efad1c2b0e13f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9ce9e390fc404fb13cf10730cf1eec4b0315087f62c11ddec6efad1c2b0e13f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-title-sync.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v1`: `uses: oven-sh/setup-bun@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63109, "scanner": "repobility-supply-chain", "fingerprint": "e965bca16a431c0c5191bdce10ed55549b1cf52a334b20264ff27d4169d538a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e965bca16a431c0c5191bdce10ed55549b1cf52a334b20264ff27d4169d538a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-setup-e2e.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63108, "scanner": "repobility-supply-chain", "fingerprint": "96a8e5f2d15cdf8bfd4644b1964185010dd9b9d1f5efffa22f964658d21e1d0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|96a8e5f2d15cdf8bfd4644b1964185010dd9b9d1f5efffa22f964658d21e1d0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/windows-setup-e2e.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63104, "scanner": "repobility-supply-chain", "fingerprint": "01570b3ba83e106a138e84e0d89902aca7c7797b52c9e67fd087aca2494bbbfb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01570b3ba83e106a138e84e0d89902aca7c7797b52c9e67fd087aca2494bbbfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63103, "scanner": "repobility-supply-chain", "fingerprint": "127221946349c013d10c47dd399d249d06c5614e1705585afba595deab3b567e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|127221946349c013d10c47dd399d249d06c5614e1705585afba595deab3b567e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63102, "scanner": "repobility-supply-chain", "fingerprint": "19d9cb13e26f329f2cfe36847a83e0d102aeaa309b7874afb451fe8f8bd002f0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19d9cb13e26f329f2cfe36847a83e0d102aeaa309b7874afb451fe8f8bd002f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63101, "scanner": "repobility-supply-chain", "fingerprint": "6e7c937646f68b5f13afeec51058eed614a007b762fdb8bb8274fb4963c31aa7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e7c937646f68b5f13afeec51058eed614a007b762fdb8bb8274fb4963c31aa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63100, "scanner": "repobility-supply-chain", "fingerprint": "ca6569d808f058a0ddf35f9683f5f9854c719842f9d8798b96e3d1401fbff5e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca6569d808f058a0ddf35f9683f5f9854c719842f9d8798b96e3d1401fbff5e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63099, "scanner": "repobility-supply-chain", "fingerprint": "2834dc2b58fc5a40ef7fa854505bae55ed936226fc647ab50deb65f95307f6cc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2834dc2b58fc5a40ef7fa854505bae55ed936226fc647ab50deb65f95307f6cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/version-gate.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63098, "scanner": "repobility-supply-chain", "fingerprint": "16c03ed1afefb8c2d70ed3d75bdae540dd7c0f6a7ba5ea503fa660aa884e9f11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16c03ed1afefb8c2d70ed3d75bdae540dd7c0f6a7ba5ea503fa660aa884e9f11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/version-gate.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63097, "scanner": "repobility-supply-chain", "fingerprint": "64ad4d8a0de2f0e06ba880b8a83fabe5cec5f4bea0bade6f450070b8d46b0372", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64ad4d8a0de2f0e06ba880b8a83fabe5cec5f4bea0bade6f450070b8d46b0372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/skill-docs.yml"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 63096, "scanner": "repobility-supply-chain", "fingerprint": "1162372932ce37cfd70a72682ef692fa31194e6e0fa84cfe36027e613a3eca0d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1162372932ce37cfd70a72682ef692fa31194e6e0fa84cfe36027e613a3eca0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/skill-docs.yml"}, "region": {"startLine": 7}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 63095, "scanner": "repobility-journey-contract", "fingerprint": "5d93322f275f86f014bc395d5156a02d23160c415b89183e8b7f48f4d2987747", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|extension/sidepanel.js|1034|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 2}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "extension/sidepanel.js"}, "region": {"startLine": 1034}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 63073, "scanner": "repobility-threat-engine", "fingerprint": "7e482db921909935c6910a23d1e708e7107e3f9ea9e7e5e0beec14bc2057940c", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.resolve(opts.input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|68|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "make-pdf/src/orchestrator.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 63071, "scanner": "repobility-threat-engine", "fingerprint": "398f0fe34d1649adb6b02d0bf903cf7d272ab0881dbcad968f490d6601e9e344", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|398f0fe34d1649adb6b02d0bf903cf7d272ab0881dbcad968f490d6601e9e344"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "hosts/claude/hooks/question-log-hook.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 63067, "scanner": "repobility-threat-engine", "fingerprint": "3fddf3296c91df09eb3a1883f774f55e5700d6ec6376b1f357303c1e650955a1", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.log(`  catalog tokens: ~${baseline.estTotalCatalogTokens}`)", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|scripts/capture-baseline.ts|4|console.log catalog tokens: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/capture-baseline.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 63066, "scanner": "repobility-threat-engine", "fingerprint": "ea4fcbaa1a1e90e3a45d7b40803f22adfe3f066b516060aa13a1b406ccf45fc3", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.error(\"  or save to ~/.gstack/openai.json: { \\\"api_key\\\": \\\"sk-...\\\" }\")", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|design/src/auth.ts|12|console.error or save to /.gstack/openai.json: api_key : sk-..."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "design/src/auth.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63056, "scanner": "repobility-threat-engine", "fingerprint": "68be2921f1ddc0ec932f4e0e660a18b60e53b77f5d263612f9bae79c6c278493", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(source", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|68be2921f1ddc0ec932f4e0e660a18b60e53b77f5d263612f9bae79c6c278493"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ios-qa/scripts/gen-accessors.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63055, "scanner": "repobility-threat-engine", "fingerprint": "5037a4993b2e7477d373de78d7ced521c365961bd7f3538e609ea4f5d5f646be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(html", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5037a4993b2e7477d373de78d7ced521c365961bd7f3538e609ea4f5d5f646be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browser-skills/hackernews-frontpage/script.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 63054, "scanner": "repobility-threat-engine", "fingerprint": "bd048c1011a04d816703b7a989167e64b6aa5fd166f45bdff1ed1b450d413ea8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(slugBin", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bd048c1011a04d816703b7a989167e64b6aa5fd166f45bdff1ed1b450d413ea8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/project-slug.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 63052, "scanner": "repobility-threat-engine", "fingerprint": "cb1dd5c0beefec407fa5ff3506c4aeb50042f8e970fc35bb33c33b1ea0618a5b", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([s, c]) => `${s}(${c}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cb1dd5c0beefec407fa5ff3506c4aeb50042f8e970fc35bb33c33b1ea0618a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/analytics.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 63051, "scanner": "repobility-threat-engine", "fingerprint": "6cefff3ecd2420c802d69f602a672e3ea496defd3ed69ea3cc726330f3ac68b0", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((e, i) =>\n      `  [${i + 1}] ${e.status} ${e.url.slice(0, 100)} (${Math.round(e.size / 1024)}KB", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6cefff3ecd2420c802d69f602a672e3ea496defd3ed69ea3cc726330f3ac68b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/network-capture.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 63050, "scanner": "repobility-threat-engine", "fingerprint": "486446694394fbdfb594e070d62f6191571e06384dba0f0955140227d0a3b8ca", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([t, n]) => `${t}=${n}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|486446694394fbdfb594e070d62f6191571e06384dba0f0955140227d0a3b8ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/memory-command.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 63043, "scanner": "repobility-threat-engine", "fingerprint": "e7fc3c35d9ebed76fbf7990114c676352bedf111ca55ea6a8f945c6405fa3a69", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(filterPattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e7fc3c35d9ebed76fbf7990114c676352bedf111ca55ea6a8f945c6405fa3a69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/network-capture.ts"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 63042, "scanner": "repobility-threat-engine", "fingerprint": "4a19e5fafb67f69d98b531f8f1174f8d4a3547b0c145640b4c92d62980d96913", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a19e5fafb67f69d98b531f8f1174f8d4a3547b0c145640b4c92d62980d96913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/content-security.ts"}, "region": {"startLine": 152}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 63036, "scanner": "repobility-threat-engine", "fingerprint": "a37bb77c5de65a60ee6983ee3da085560e70412455bc83b435e9f405ebacb9d3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "leases.delete(sessionId);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a37bb77c5de65a60ee6983ee3da085560e70412455bc83b435e9f405ebacb9d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/pty-session-lease.ts"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 63035, "scanner": "repobility-threat-engine", "fingerprint": "e9bc8a42499b9d44dd3c3e81002c3f34c8c9929b563b512601f46daf136454b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sessions.delete(token);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e9bc8a42499b9d44dd3c3e81002c3f34c8c9929b563b512601f46daf136454b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/pty-session-cookie.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 63034, "scanner": "repobility-threat-engine", "fingerprint": "90fabe2daf12ebd1ec8cdb20d1439724bd9ad76215795f8926246324a6a9f952", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cache.delete(page);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|90fabe2daf12ebd1ec8cdb20d1439724bd9ad76215795f8926246324a6a9f952"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/cdp-bridge.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63025, "scanner": "repobility-threat-engine", "fingerprint": "6273daec13e1c9d67cc5f5fbe8f4805420551bb90b4af4049546e83739ca80c3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6273daec13e1c9d67cc5f5fbe8f4805420551bb90b4af4049546e83739ca80c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/proxy-redact.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63024, "scanner": "repobility-threat-engine", "fingerprint": "785a72e556e964c084425b43ef2c319e37894f32f354e51a04e2b2dddd6407fc", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|785a72e556e964c084425b43ef2c319e37894f32f354e51a04e2b2dddd6407fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/proxy-config.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 63023, "scanner": "repobility-threat-engine", "fingerprint": "b6f4b946f246703c75ba22c3dab9cbbfdc028d0b02834e66ce6e0c5f209b72e8", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b6f4b946f246703c75ba22c3dab9cbbfdc028d0b02834e66ce6e0c5f209b72e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "browse/src/activity.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GEMINI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GEMINI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63107, "scanner": "repobility-supply-chain", "fingerprint": "3db3bbe4e932c9a94d1363d1b68333a6539eecf2680de4f612ae3fe8aebabf0f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3db3bbe4e932c9a94d1363d1b68333a6539eecf2680de4f612ae3fe8aebabf0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63106, "scanner": "repobility-supply-chain", "fingerprint": "6ed002da78807d3c4a36d6130b2a4a237a91b8249a41559f40b954bfcf7ec0d6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ed002da78807d3c4a36d6130b2a4a237a91b8249a41559f40b954bfcf7ec0d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63105, "scanner": "repobility-supply-chain", "fingerprint": "3311c131dfbc1d380e5bd2af7770a2667d069864257c0e0d0e48f1aeb3c8dcfd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3311c131dfbc1d380e5bd2af7770a2667d069864257c0e0d0e48f1aeb3c8dcfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/evals.yml"}, "region": {"startLine": 142}}}]}]}]}