{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.", "shortDescription": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `ghcr.io/ladybirdbrowser/ladybird-ci:2026.05.25` unpinned: `container/servi", "shortDescription": {"text": "[MINED126] Workflow container/services image `ghcr.io/ladybirdbrowser/ladybird-ci:2026.05.25` unpinned: `container/services image: ghcr.io/ladybirdbrowser/ladybird-ci:2026.05.25` without `@sha256:...` pulls a mutable tag at workflow-run tim"}, "fullDescription": {"text": "Replace with `ghcr.io/ladybirdbrowser/ladybird-ci:2026.05.25@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `JamesIves/github-pages-deploy-action` pinned to mutable ref `@v4.8.0`: `uses: JamesIves/github-pages-", "shortDescription": {"text": "[MINED115] Action `JamesIves/github-pages-deploy-action` pinned to mutable ref `@v4.8.0`: `uses: JamesIves/github-pages-deploy-action@v4.8.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made t"}, "fullDescription": {"text": "Replace with: `uses: JamesIves/github-pages-deploy-action@<40-char-sha>  # v4.8.0` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.LADYBIRD_BOT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_reque", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.LADYBIRD_BOT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.LADYBIRD_BOT_TOKEN }` lets a PR from any fork exfiltrate "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/862"}, "properties": {"repository": "LadybirdBrowser/ladybird", "repoUrl": "https://github.com/LadybirdBrowser/ladybird", "branch": "master"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 77960, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 77957, "scanner": "repobility-threat-engine", "fingerprint": "e6c58a01bb7dd321b68f7dc581bdb3bf84f3be7f41eb9f96a333baf996a0db65", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|55|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Libraries/LibCore/EventLoopImplementation.h"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 77956, "scanner": "repobility-threat-engine", "fingerprint": "879090dec9c49d38fb46a59f064091e785ec6d8b7e49a8a2472d8826f9a38257", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|60|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Libraries/LibCore/EventLoop.h"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 77955, "scanner": "repobility-threat-engine", "fingerprint": "468d17edde64912e56761190bdc37e64517f142256ad610cb8e937a54b9946f9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ":exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|79|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Libraries/LibCore/EventLoop.cpp"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77967, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af3b0f19506deb6e6586bf90ff697781d8f5f9279dc2d034d7576a4209a782bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Libraries/LibCore/UDPServer.cpp", "duplicate_line": 22, "correlation_key": "fp|af3b0f19506deb6e6586bf90ff697781d8f5f9279dc2d034d7576a4209a782bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Libraries/LibCore/UDPServerWindows.cpp"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77966, "scanner": "repobility-ai-code-hygiene", "fingerprint": "864b162187aee2db1545dee9464757f16a9455b67ad9f3e6d7b54eb2ea245b61", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Libraries/LibCore/TCPServer.cpp", "duplicate_line": 14, "correlation_key": "fp|864b162187aee2db1545dee9464757f16a9455b67ad9f3e6d7b54eb2ea245b61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Libraries/LibCore/TCPServerWindows.cpp"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77965, "scanner": "repobility-ai-code-hygiene", "fingerprint": "db87aee59b67357e734c32faf8aec2ebede549e5fdd4b67613c039834ad1a887", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Libraries/LibCore/System.cpp", "duplicate_line": 63, "correlation_key": "fp|db87aee59b67357e734c32faf8aec2ebede549e5fdd4b67613c039834ad1a887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Libraries/LibCore/SystemWindows.cpp"}, "region": {"startLine": 142}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77964, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ab42bebbe20b17ee97dfb58e8650b1a8c8a1483345e271e4a2379bbe8d9e8248", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Libraries/LibCore/Socket.cpp", "duplicate_line": 112, "correlation_key": "fp|ab42bebbe20b17ee97dfb58e8650b1a8c8a1483345e271e4a2379bbe8d9e8248"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Libraries/LibCore/SocketWindows.cpp"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77963, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f8f5bb894b2c211ee0ae25181d0969f24d3b0058a4b58119cd6a9a9a9b8f212", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "Libraries/LibCore/LocalServer.cpp", "duplicate_line": 7, "correlation_key": "fp|8f8f5bb894b2c211ee0ae25181d0969f24d3b0058a4b58119cd6a9a9a9b8f212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Libraries/LibCore/LocalServerWindows.cpp"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77962, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b986938d38b13142bec22c428e6868b32c111a0ea7666b1b23f1e0a839f1e41e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "AK/Utf32View.cpp", "duplicate_line": 3, "correlation_key": "fp|b986938d38b13142bec22c428e6868b32c111a0ea7666b1b23f1e0a839f1e41e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AK/Utf8View.cpp"}, "region": {"startLine": 151}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 77961, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89e36b74520fca9201cb39f9a4f052338280e761380a41027ee5cd5e40b6c754", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "AK/ByteString.h", "duplicate_line": 198, "correlation_key": "fp|89e36b74520fca9201cb39f9a4f052338280e761380a41027ee5cd5e40b6c754"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AK/StringView.h"}, "region": {"startLine": 239}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 77954, "scanner": "repobility-threat-engine", "fingerprint": "8ed0092dbc7f00231868d725da24af6c616f17cf0e0daa1a4f9b4283219bcea4", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = u", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|57|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Base/res/ladybird/about-pages/settings/languages.js"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 77959, "scanner": "repobility-threat-engine", "fingerprint": "77dd05dd81c76d96ca62c0ed7a127f3324d241aba8814f6bee13115bc4b89879", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|77dd05dd81c76d96ca62c0ed7a127f3324d241aba8814f6bee13115bc4b89879"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Libraries/LibCrypto/ASN1/ASN1.cpp"}, "region": {"startLine": 165}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 77958, "scanner": "repobility-threat-engine", "fingerprint": "b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b031acad30223651838c72762fbf67002aa9bccea5e8d28f9a1dee5134b8d8a4"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 77953, "scanner": "repobility-threat-engine", "fingerprint": "db9d027cf85c4ac3968f7e11aa0e3d9ef02a9c304ecff4599a0795188c842e20", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|db9d027cf85c4ac3968f7e11aa0e3d9ef02a9c304ecff4599a0795188c842e20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Base/res/ladybird/about-pages/settings/privacy.js"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 77952, "scanner": "repobility-threat-engine", "fingerprint": "501f9dd251562bff203051ccf223954c8fb0223f8af1339f7bd416c76ef21c94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|501f9dd251562bff203051ccf223954c8fb0223f8af1339f7bd416c76ef21c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Base/res/ladybird/about-pages/settings/default-zoom-level.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 77951, "scanner": "repobility-threat-engine", "fingerprint": "b35d81bf41075b379fbb1b501007f87d777f46e18779b17398aec95684217625", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.warn(\"No close match found for zoom factor: \", settings.defaultZoomLevelFactor)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|4|console.warn no close match found for zoom factor: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Base/res/ladybird/about-pages/settings/default-zoom-level.js"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 77950, "scanner": "repobility-threat-engine", "fingerprint": "b252f3821dbe09e7b9ee3a5fd144b279dd6424fc404f10b9d726aea6685d6f51", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b252f3821dbe09e7b9ee3a5fd144b279dd6424fc404f10b9d726aea6685d6f51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AK/kmalloc.cpp"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 77949, "scanner": "repobility-threat-engine", "fingerprint": "2d0677d09afb5e514e6b4dfddf9df0427d880a43e5c6e02440beb52222931198", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2d0677d09afb5e514e6b4dfddf9df0427d880a43e5c6e02440beb52222931198", "aggregated_count": 10}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 77948, "scanner": "repobility-threat-engine", "fingerprint": "4b0fd2f66eca412488beddd187264bb37013311e513099c25345d36066d814f3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b0fd2f66eca412488beddd187264bb37013311e513099c25345d36066d814f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AK/Singleton.h"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 77947, "scanner": "repobility-threat-engine", "fingerprint": "b47a9a1fc27d874603ec45d8984ac5c3532b4b12224097c15ac845517204af25", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b47a9a1fc27d874603ec45d8984ac5c3532b4b12224097c15ac845517204af25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AK/NonnullRefPtr.h"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 77946, "scanner": "repobility-threat-engine", "fingerprint": "5a9e42dcd3740519dc4b52ea6c2ad1891a0816323339f99abadc8e2ccee4e367", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a9e42dcd3740519dc4b52ea6c2ad1891a0816323339f99abadc8e2ccee4e367"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AK/NonnullOwnPtr.h"}, "region": {"startLine": 148}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 77945, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/ladybirdbrowser/ladybird-ci:2026.05.25` unpinned: `container/services image: ghcr.io/ladybirdbrowser/ladybird-ci:2026.05.25` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 77996, "scanner": "repobility-supply-chain", "fingerprint": "811e9414d8b8fb5eee77f1cc5bda8cecd76a425b729c527ec30179dc1ef71c9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|811e9414d8b8fb5eee77f1cc5bda8cecd76a425b729c527ec30179dc1ef71c9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-code.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/ladybirdbrowser/ladybird-ci:2026.05.25` unpinned: `container/services image: ghcr.io/ladybirdbrowser/ladybird-ci:2026.05.25` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 77995, "scanner": "repobility-supply-chain", "fingerprint": "f6cd7eaea13d24c3a7d7b4e44d0843fb14e41a0562913aa61ebc2f095d35a1ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6cd7eaea13d24c3a7d7b4e44d0843fb14e41a0562913aa61ebc2f095d35a1ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/libjs-test262.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `JamesIves/github-pages-deploy-action` pinned to mutable ref `@v4.8.0`: `uses: JamesIves/github-pages-deploy-action@v4.8.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77993, "scanner": "repobility-supply-chain", "fingerprint": "cea0385f1b7b7235344e7be2ab8a9db9940f4483ce908c800975b6028f79640f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cea0385f1b7b7235344e7be2ab8a9db9940f4483ce908c800975b6028f79640f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/libjs-test262.yml"}, "region": {"startLine": 146}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77992, "scanner": "repobility-supply-chain", "fingerprint": "2e630a750aeab62dc189398eaf79d0e7bc454549b236771f3e30e80feddbb1f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e630a750aeab62dc189398eaf79d0e7bc454549b236771f3e30e80feddbb1f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/libjs-test262.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77991, "scanner": "repobility-supply-chain", "fingerprint": "e71dd7ab5be250442e74407124581a183fff0d137f2e370c7d4851ff49aebb4e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e71dd7ab5be250442e74407124581a183fff0d137f2e370c7d4851ff49aebb4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/libjs-test262.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77990, "scanner": "repobility-supply-chain", "fingerprint": "da35f97c166c0af4b7d12f221b8a1ca0c2f1269cecc8f6fb889e9ff323ccb8b1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|da35f97c166c0af4b7d12f221b8a1ca0c2f1269cecc8f6fb889e9ff323ccb8b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/libjs-test262.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77989, "scanner": "repobility-supply-chain", "fingerprint": "7c4a8afbc231287c0efae4a1688fecf0450955ba747e4e3bfd0aa6804aa43a5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c4a8afbc231287c0efae4a1688fecf0450955ba747e4e3bfd0aa6804aa43a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/libjs-test262.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77988, "scanner": "repobility-supply-chain", "fingerprint": "ca65abb4cbcf3a23c0b3e58eaff8267bdbf8acbf513a96472731cf9173628a96", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca65abb4cbcf3a23c0b3e58eaff8267bdbf8acbf513a96472731cf9173628a96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/libjs-test262.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `eps1lon/actions-label-merge-conflict` pinned to mutable ref `@v3`: `uses: eps1lon/actions-label-merge-conflict@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77987, "scanner": "repobility-supply-chain", "fingerprint": "e1eb96d782b3eed5815527f394d90a644eb6a653c6ee558bea37e32ff0600e57", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1eb96d782b3eed5815527f394d90a644eb6a653c6ee558bea37e32ff0600e57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/merge-conflict-labeler.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77986, "scanner": "repobility-supply-chain", "fingerprint": "ae65aa0f119b4ad928e0bf9cccab8413083cba9c1a6acb3f264781a3c45ca234", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ae65aa0f119b4ad928e0bf9cccab8413083cba9c1a6acb3f264781a3c45ca234"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js-and-wasm-artifacts.yml"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77985, "scanner": "repobility-supply-chain", "fingerprint": "0ada79a5be6c11ddb0418344c0946f5fbafa3c06e68d4671ddde82ed6efb1c05", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ada79a5be6c11ddb0418344c0946f5fbafa3c06e68d4671ddde82ed6efb1c05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js-and-wasm-artifacts.yml"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77984, "scanner": "repobility-supply-chain", "fingerprint": "419e2ad91c3090787841a401c0771bf59409593f5c03e605dfa16c34e356289c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|419e2ad91c3090787841a401c0771bf59409593f5c03e605dfa16c34e356289c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js-and-wasm-artifacts.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ghcr.io/flathub-infra/flatpak-github-actions:kde-6.9` unpinned: `container/services image: ghcr.io/flathub-infra/flatpak-github-actions:kde-6.9` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 77983, "scanner": "repobility-supply-chain", "fingerprint": "732a6e45c704cc4eb0b9daa82b4c019b76f37c209b24f4d6fe0705ce2927cd28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|732a6e45c704cc4eb0b9daa82b4c019b76f37c209b24f4d6fe0705ce2927cd28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flatpak-template.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `flatpak/flatpak-github-actions/flatpak-builder` pinned to mutable ref `@v6`: `uses: flatpak/flatpak-github-actions/flatpak-builder@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77982, "scanner": "repobility-supply-chain", "fingerprint": "99f31716bacf114d6ce968c13c503eabb970afa2ee1d88a78a1148b92666e67f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99f31716bacf114d6ce968c13c503eabb970afa2ee1d88a78a1148b92666e67f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flatpak-template.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77981, "scanner": "repobility-supply-chain", "fingerprint": "e667aa8efffb87b1ae9c24dce10ee344291867efea13f5d7d3a049d6bfdad1c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e667aa8efffb87b1ae9c24dce10ee344291867efea13f5d7d3a049d6bfdad1c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/flatpak-template.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `fregante/setup-git-user` pinned to mutable ref `@v2`: `uses: fregante/setup-git-user@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77980, "scanner": "repobility-supply-chain", "fingerprint": "2ba6a272fc14a0a0be4468c978e25f9c77ec60f8c430e8d1adba40ad8ed94878", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ba6a272fc14a0a0be4468c978e25f9c77ec60f8c430e8d1adba40ad8ed94878"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/notes-push.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77979, "scanner": "repobility-supply-chain", "fingerprint": "fb4123dca5a99a2afd615c18a4fa0944289c4b9d6c4630924b834099b69b2942", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb4123dca5a99a2afd615c18a4fa0944289c4b9d6c4630924b834099b69b2942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/notes-push.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77978, "scanner": "repobility-supply-chain", "fingerprint": "67881f0e704f6d09c87f554e1695bf80a3ec37b12d96f6d703b9ffe52f9b4eee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|67881f0e704f6d09c87f554e1695bf80a3ec37b12d96f6d703b9ffe52f9b4eee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web-benchmarks.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77977, "scanner": "repobility-supply-chain", "fingerprint": "5469b4653922be3d211d2f2d98256e6a9cb91338672797c3fb61032f2b658858", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5469b4653922be3d211d2f2d98256e6a9cb91338672797c3fb61032f2b658858"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web-benchmarks.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77976, "scanner": "repobility-supply-chain", "fingerprint": "fcb49715cf03d5c6abd7bb09802dca1a65d749bcba3ff9c5229428a6a70c1283", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fcb49715cf03d5c6abd7bb09802dca1a65d749bcba3ff9c5229428a6a70c1283"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/web-benchmarks.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77975, "scanner": "repobility-supply-chain", "fingerprint": "d4728b37d95df578b5a109128236dc9042ddb2f0e7601cff4b26e46f49c5ebb6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4728b37d95df578b5a109128236dc9042ddb2f0e7601cff4b26e46f49c5ebb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lagom-template.yml"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77974, "scanner": "repobility-supply-chain", "fingerprint": "daa049eff799b77aab9c56d36d7f1c1c5fdb1bdd415d6b1527dd422e8f0991dd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|daa049eff799b77aab9c56d36d7f1c1c5fdb1bdd415d6b1527dd422e8f0991dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lagom-template.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77973, "scanner": "repobility-supply-chain", "fingerprint": "5b9afc5a2ebd663b3abb0f9813b48a707dd2622409c3eb601e3048db0e096422", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b9afc5a2ebd663b3abb0f9813b48a707dd2622409c3eb601e3048db0e096422"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lagom-template.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77972, "scanner": "repobility-supply-chain", "fingerprint": "d2e646f4af95707fee2f51024b52629aceca86de1bff215a4917aecf6bec652d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2e646f4af95707fee2f51024b52629aceca86de1bff215a4917aecf6bec652d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js-and-wasm-benchmarks.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dawidd6/action-download-artifact` pinned to mutable ref `@v21`: `uses: dawidd6/action-download-artifact@v21` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77971, "scanner": "repobility-supply-chain", "fingerprint": "b16bbd5e072f15ed3d889b5c52315c9e00636ebd3305fefc113eca3fb71dae03", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b16bbd5e072f15ed3d889b5c52315c9e00636ebd3305fefc113eca3fb71dae03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js-and-wasm-benchmarks.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `dawidd6/action-download-artifact` pinned to mutable ref `@v21`: `uses: dawidd6/action-download-artifact@v21` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77970, "scanner": "repobility-supply-chain", "fingerprint": "10aa1c9de8a5cb1cc3d940369404766cbb90414ab1e96245de99bab16026c16b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|10aa1c9de8a5cb1cc3d940369404766cbb90414ab1e96245de99bab16026c16b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js-and-wasm-benchmarks.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.3`: `uses: actions/checkout@v6.0.3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77969, "scanner": "repobility-supply-chain", "fingerprint": "23df11b2d8ef89ad21d7687f959be104768a7a772561930077991b6180b514e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23df11b2d8ef89ad21d7687f959be104768a7a772561930077991b6180b514e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/js-and-wasm-benchmarks.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 77968, "scanner": "repobility-supply-chain", "fingerprint": "5432936759474ab00e85182669b113f1b2fe23c40f19cfe47ae63f7ad5e1cca1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5432936759474ab00e85182669b113f1b2fe23c40f19cfe47ae63f7ad5e1cca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-commits.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 77944, "scanner": "repobility-threat-engine", "fingerprint": "7a9fe94db7e0143d975483a0229ace53cbcd394dfff11cc98610d987c4979457", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(n", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7a9fe94db7e0143d975483a0229ace53cbcd394dfff11cc98610d987c4979457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Base/res/ladybird/about-pages/settings/new-tab-page.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 77943, "scanner": "repobility-threat-engine", "fingerprint": "abc914fce5036603fcf4ab1219d576cbde86057edb5e1126c0b864897eb2c1d1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|abc914fce5036603fcf4ab1219d576cbde86057edb5e1126c0b864897eb2c1d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AK/Base64.h"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 77942, "scanner": "repobility-threat-engine", "fingerprint": "ff61f459f4860459bdcef423d91116930c59fa58f7c7de16d9c45b919e12b6f0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(S", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ff61f459f4860459bdcef423d91116930c59fa58f7c7de16d9c45b919e12b6f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AK/Base64.cpp"}, "region": {"startLine": 106}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 77941, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.LADYBIRD_BOT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.LADYBIRD_BOT_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 77994, "scanner": "repobility-supply-chain", "fingerprint": "d424a0a0a07bf99014665ade8c2d439822663372841ef0433fd05dcd2f0e9c22", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d424a0a0a07bf99014665ade8c2d439822663372841ef0433fd05dcd2f0e9c22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/libjs-test262.yml"}, "region": {"startLine": 152}}}]}]}]}