{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `get_library_specifier` has cognitive complexity 13 (SonarSource scale). C", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `get_library_specifier` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and r"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 13."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 149 more): Same pattern found in 149 additional files. Review if n", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 149 more): Same pattern found in 149 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/changed-files.yaml` pinned to mutable ref `@main`: `uses:", "shortDescription": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/changed-files.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/changed-files.yaml@main` resolves at workflow-run time. Tags and branches c"}, "fullDescription": {"text": "Replace with: `uses: rapidsai/shared-workflows/.github/workflows/changed-files.yaml@<40-char-sha>  # main` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `rapidsai/ci-conda:26.08-latest` unpinned: `container/services image: rapid", "shortDescription": {"text": "[MINED126] Workflow container/services image `rapidsai/ci-conda:26.08-latest` unpinned: `container/services image: rapidsai/ci-conda:26.08-latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container refe"}, "fullDescription": {"text": "Replace with `rapidsai/ci-conda:26.08-latest@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1121"}, "properties": {"repository": "rapidsai/cudf", "repoUrl": "https://github.com/rapidsai/cudf", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 110862, "scanner": "repobility-ast-engine", "fingerprint": "bde27895eefe51cb8d18ad3f12f6919f554d955e92c47d7858d3e1b4ca99e6ac", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bde27895eefe51cb8d18ad3f12f6919f554d955e92c47d7858d3e1b4ca99e6ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/check_cudf_polars_ir.py"}, "region": {"startLine": 336}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 110861, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 110850, "scanner": "repobility-threat-engine", "fingerprint": "29cafe090e034a8dcc11df8a6a9b23398e6b1833242d9eb1fffb07329aa8e98d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|47|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/binaryop/binaryop.cpp"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 110849, "scanner": "repobility-threat-engine", "fingerprint": "5c1a629785ef540c2ad37e4ee508874db1812aaf2d3df7a5d7cdddf62968fe06", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|103|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/ast/transform.cpp"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 110848, "scanner": "repobility-threat-engine", "fingerprint": "8861df64573326deafb6aa6f5de5307f615126e727465231f63583c2dd22cb09", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|89|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/ast/polynomials.cpp"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 110858, "scanner": "repobility-threat-engine", "fingerprint": "712bd0954ace13b7ee9b9d72a211db160ee1996865a65e80e3bb98d9943e3d5e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"void transform(\" + type_name + \"* out, \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|712bd0954ace13b7ee9b9d72a211db160ee1996865a65e80e3bb98d9943e3d5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/transform/transform.cpp"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 110857, "scanner": "repobility-threat-engine", "fingerprint": "91a41e2148a6486e6c4bffee562e6f82dcf1e6b420577a2526f81dd48840870a", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"__device__ inline void compute_polynomial(\" + type + \"* out, \"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91a41e2148a6486e6c4bffee562e6f82dcf1e6b420577a2526f81dd48840870a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/transform/polynomials.cpp"}, "region": {"startLine": 78}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 110856, "scanner": "repobility-threat-engine", "fingerprint": "3a59310347e093e6f1b2f80345ec4c9a7f2a3144703a5d60bce7c615d39a7579", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"Unknown rmm_mode parameter: \" + mode +\n              \"\\nExpecting: cuda, pool, async, arena, manage", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a59310347e093e6f1b2f80345ec4c9a7f2a3144703a5d60bce7c615d39a7579"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/fixture/nvbench_fixture.hpp"}, "region": {"startLine": 65}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `get_library_specifier` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: except=2, for=2, if=3, nested_bonus=6."}, "properties": {"repobilityId": 110847, "scanner": "repobility-threat-engine", "fingerprint": "11daf79589024029a6ecd53f869c4ac139ce5d7c9ad2c460cfd098b0ace7bfeb", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_library_specifier", "breakdown": {"if": 3, "for": 2, "except": 2, "nested_bonus": 6}, "complexity": 13, "correlation_key": "fp|11daf79589024029a6ecd53f869c4ac139ce5d7c9ad2c460cfd098b0ace7bfeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/utils/filter_package_versions.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 149 more): Same pattern found in 149 additional files. Review if needed."}, "properties": {"repobilityId": 110855, "scanner": "repobility-threat-engine", "fingerprint": "f2c477b1969b0b65d3257b1d18b7cf53ad435a388b58cf5be9203997e5ba9699", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 149 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 149 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f2c477b1969b0b65d3257b1d18b7cf53ad435a388b58cf5be9203997e5ba9699"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 149 more): Same pattern found in 149 additional files. Review if needed."}, "properties": {"repobilityId": 110851, "scanner": "repobility-threat-engine", "fingerprint": "fda7ed7c4c1e0c9de80d1ad7d3585e47f48cd75defe16b04fe96fa186387a0bf", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 149 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 149 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fda7ed7c4c1e0c9de80d1ad7d3585e47f48cd75defe16b04fe96fa186387a0bf"}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 110846, "scanner": "repobility-threat-engine", "fingerprint": "e07481d3a2f7d3c0ef3a40bb070f3e530e68f61032362af59b73aea869aed81a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e07481d3a2f7d3c0ef3a40bb070f3e530e68f61032362af59b73aea869aed81a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/utils/filter_package_versions.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/changed-files.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/changed-files.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110890, "scanner": "repobility-supply-chain", "fingerprint": "c49ebe5c6f4df11bc2ff98f95c07263446211a9ba59d0ed66f8de3f4af7802e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c49ebe5c6f4df11bc2ff98f95c07263446211a9ba59d0ed66f8de3f4af7802e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-actions/check_nightly_success/dispatch` pinned to mutable ref `@main`: `uses: rapidsai/shared-actions/check_nightly_success/dispatch@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110889, "scanner": "repobility-supply-chain", "fingerprint": "130a3d3679a0c9597358ac743f1450a3a07a0f0ff22b365e99b3e08e4d240d8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|130a3d3679a0c9597358ac743f1450a3a07a0f0ff22b365e99b3e08e4d240d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-actions/telemetry-dispatch-stash-base-env-vars` pinned to mutable ref `@main`: `uses: rapidsai/shared-actions/telemetry-dispatch-stash-base-env-vars@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110888, "scanner": "repobility-supply-chain", "fingerprint": "79701a7b23035a756cbab81b581787736c19803ec74736565a20130fee8d17e1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79701a7b23035a756cbab81b581787736c19803ec74736565a20130fee8d17e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/pr-builder.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110887, "scanner": "repobility-supply-chain", "fingerprint": "0111d15c540015c62f7c2ebc2c33a4d5b21ada78b74c6ca9795e161a5998ed9b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0111d15c540015c62f7c2ebc2c33a4d5b21ada78b74c6ca9795e161a5998ed9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr.yaml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/project-get-set-single-select-field.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/project-get-set-single-select-field.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110886, "scanner": "repobility-supply-chain", "fingerprint": "4f7b232be997012fcefae9ace26d618a25ed5e0b4d41f74b55d56c64870d8133", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f7b232be997012fcefae9ace26d618a25ed5e0b4d41f74b55d56c64870d8133"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_issue_status_automation.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/project-get-set-single-select-field.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/project-get-set-single-select-field.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110885, "scanner": "repobility-supply-chain", "fingerprint": "e5a7332b29fb32d489c994cb045964c64e3194f5d0fd6225bc6ae74c3f32fe9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5a7332b29fb32d489c994cb045964c64e3194f5d0fd6225bc6ae74c3f32fe9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_issue_status_automation.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/project-get-item-id.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/project-get-item-id.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110884, "scanner": "repobility-supply-chain", "fingerprint": "e4968ffde9dbfe90131885931738f468a462acbc4a828d865d61b2b66c52b19c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e4968ffde9dbfe90131885931738f468a462acbc4a828d865d61b2b66c52b19c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr_issue_status_automation.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/custom-job.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110883, "scanner": "repobility-supply-chain", "fingerprint": "ebc0268e7a7612e60596db10d80a85557ea120f531b834e4215fb55751c37ada", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ebc0268e7a7612e60596db10d80a85557ea120f531b834e4215fb55751c37ada"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pandas-tests.yaml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `rapidsai/ci-conda:26.08-latest` unpinned: `container/services image: rapidsai/ci-conda:26.08-latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 110882, "scanner": "repobility-supply-chain", "fingerprint": "d510b95d340bc25ce3cfcd69477c97146f740fb7b9d6db1d5e8de91b9a4197fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d510b95d340bc25ce3cfcd69477c97146f740fb7b9d6db1d5e8de91b9a4197fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compute-sanitizer-run.yaml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `rapidsai/ci-conda:26.08-latest` unpinned: `container/services image: rapidsai/ci-conda:26.08-latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 110881, "scanner": "repobility-supply-chain", "fingerprint": "4155014b4fbad8057c59460658a0f8d5bc2571f683b1b6c3c6fa637cc1867dc7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4155014b4fbad8057c59460658a0f8d5bc2571f683b1b6c3c6fa637cc1867dc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compute-sanitizer-run.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `rapidsai/ci-spark-rapids-jni:rockylinux8-cuda12.9.1` unpinned: `container/services image: rapidsai/ci-spark-rapids-jni:rockylinux8-cuda12.9.1` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 110880, "scanner": "repobility-supply-chain", "fingerprint": "02eb7f3c7f204bcf57487e33d9501e004d51f21c3440b68dde02443e77f3cd6a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|02eb7f3c7f204bcf57487e33d9501e004d51f21c3440b68dde02443e77f3cd6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/spark-rapids-jni.yaml"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/breaking-change-alert.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110879, "scanner": "repobility-supply-chain", "fingerprint": "e6de12d994b1b1169bb839c67e5a0aa5c7e472e2c81e61b04f9ea2b5fc526c43", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6de12d994b1b1169bb839c67e5a0aa5c7e472e2c81e61b04f9ea2b5fc526c43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/trigger-breaking-change-alert.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/custom-job.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110878, "scanner": "repobility-supply-chain", "fingerprint": "0fa4fc22e940dda9aaa1d75348bc413bd3f43005bd0defc4b467c12073d8820b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fa4fc22e940dda9aaa1d75348bc413bd3f43005bd0defc4b467c12073d8820b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/wheels-test.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/wheels-test.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110877, "scanner": "repobility-supply-chain", "fingerprint": "84e236eb9e8e7acea31446e584d29eaa292da849fa62eb8061cc145521e722cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84e236eb9e8e7acea31446e584d29eaa292da849fa62eb8061cc145521e722cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 263}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/wheels-test.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/wheels-test.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110876, "scanner": "repobility-supply-chain", "fingerprint": "d2484d398ff6c68282cc54f37ee2eb13a1f68bad2a763ce9a3d51b2774a8d6f4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2484d398ff6c68282cc54f37ee2eb13a1f68bad2a763ce9a3d51b2774a8d6f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/custom-job.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110875, "scanner": "repobility-supply-chain", "fingerprint": "0391c5a570fdf49b0dced6b05ff93bad7865c632ac379d4a32e4282efc07983d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0391c5a570fdf49b0dced6b05ff93bad7865c632ac379d4a32e4282efc07983d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/wheels-test.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/wheels-test.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110874, "scanner": "repobility-supply-chain", "fingerprint": "79652de27f3b9a9e687c6b7eeaad6e9765876c3efa5a11b51c496ef27fe318d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79652de27f3b9a9e687c6b7eeaad6e9765876c3efa5a11b51c496ef27fe318d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 213}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/wheels-test.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/wheels-test.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110873, "scanner": "repobility-supply-chain", "fingerprint": "72183dedbfdeee2ccba70fb7dae0a547fbfb981d1c0d497b2435cfaae073c63b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72183dedbfdeee2ccba70fb7dae0a547fbfb981d1c0d497b2435cfaae073c63b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/wheels-test.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/wheels-test.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110872, "scanner": "repobility-supply-chain", "fingerprint": "ec6abe9ad7523b697ba6f5e7f404eee1ba8b839aa58c78e881408a476f606986", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ec6abe9ad7523b697ba6f5e7f404eee1ba8b839aa58c78e881408a476f606986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/custom-job.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110871, "scanner": "repobility-supply-chain", "fingerprint": "b2f25ff444985c2f012d43cba7218114818fe3bfc1064556d906961f23b65e35", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2f25ff444985c2f012d43cba7218114818fe3bfc1064556d906961f23b65e35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/custom-job.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110870, "scanner": "repobility-supply-chain", "fingerprint": "f2822a027b95916151df83c61438ce2e2ddbada7b86d520f7c185fd9b14ec1df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2822a027b95916151df83c61438ce2e2ddbada7b86d520f7c185fd9b14ec1df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 147}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/conda-python-tests.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/conda-python-tests.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110869, "scanner": "repobility-supply-chain", "fingerprint": "403f50ccdab2b07fa98f47abbf6301a9ec080200c5ca696dd56b9e89e8571c9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|403f50ccdab2b07fa98f47abbf6301a9ec080200c5ca696dd56b9e89e8571c9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/conda-python-tests.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/conda-python-tests.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110868, "scanner": "repobility-supply-chain", "fingerprint": "50f0e4df04f4d8d9001dada91dadee043237078ab68839039c9c3bca6e3ccf5e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50f0e4df04f4d8d9001dada91dadee043237078ab68839039c9c3bca6e3ccf5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/custom-job.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110867, "scanner": "repobility-supply-chain", "fingerprint": "a337e884719f6b1f2dcdbbaca36347d7400c14a4d98f1cbfb1880ad02d75f81a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a337e884719f6b1f2dcdbbaca36347d7400c14a4d98f1cbfb1880ad02d75f81a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/custom-job.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110866, "scanner": "repobility-supply-chain", "fingerprint": "748e49d1e7ae550c1bee89e330bd0cc60a9161b42ba957fc23f281eb22622fd7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|748e49d1e7ae550c1bee89e330bd0cc60a9161b42ba957fc23f281eb22622fd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/custom-job.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/custom-job.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110865, "scanner": "repobility-supply-chain", "fingerprint": "c77d96fdd06f324c72f3b4669de4ad59bf45dfb463da8f7cc2b32367b4309603", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c77d96fdd06f324c72f3b4669de4ad59bf45dfb463da8f7cc2b32367b4309603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/conda-cpp-tests.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-tests.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110864, "scanner": "repobility-supply-chain", "fingerprint": "4e497dd9605496e1ffe2076971dd1383175fb9adbc76b342fc83b69c9c356470", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e497dd9605496e1ffe2076971dd1383175fb9adbc76b342fc83b69c9c356470"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rapidsai/shared-workflows/.github/workflows/conda-cpp-post-build-checks.yaml` pinned to mutable ref `@main`: `uses: rapidsai/shared-workflows/.github/workflows/conda-cpp-post-build-checks.yaml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 110863, "scanner": "repobility-supply-chain", "fingerprint": "f3be2c2977a8f01489704b7271e811c93cbecfcc0caa70e72fa5cbbd509d19c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3be2c2977a8f01489704b7271e811c93cbecfcc0caa70e72fa5cbbd509d19c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yaml"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 110860, "scanner": "repobility-threat-engine", "fingerprint": "0bc2c5f8623ccca88efc9f42744b7b0ec53dab3c676b8a0b142555e3b9d28820", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "bytes(input.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0bc2c5f8623ccca88efc9f42744b7b0ec53dab3c676b8a0b142555e3b9d28820"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/transpose/transpose.cpp"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 110859, "scanner": "repobility-threat-engine", "fingerprint": "162a051bc2b22c3b737ab60a2a3aed17143f58110b1d3d1efb5d504a5b31e960", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|162a051bc2b22c3b737ab60a2a3aed17143f58110b1d3d1efb5d504a5b31e960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/hashing/hash.cpp"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 110854, "scanner": "repobility-threat-engine", "fingerprint": "ecd116a90bd9120b90331639ef1222befdeca71c67dd3973fb15943e9eadf95d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(nvbench", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ecd116a90bd9120b90331639ef1222befdeca71c67dd3973fb15943e9eadf95d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/binaryop/binaryop.cpp"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 110853, "scanner": "repobility-threat-engine", "fingerprint": "423557fd37ccd6dff0b1c19a8b68a66850c4be8974cc595b7ce84737f8993e25", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(nvbench", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|423557fd37ccd6dff0b1c19a8b68a66850c4be8974cc595b7ce84737f8993e25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/ast/transform.cpp"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 110852, "scanner": "repobility-threat-engine", "fingerprint": "d85c452e8b7c4e35f61cdb8573fe291cf5eb11d6afaf30ae61e4630a24daba5a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(nvbench", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d85c452e8b7c4e35f61cdb8573fe291cf5eb11d6afaf30ae61e4630a24daba5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cpp/benchmarks/ast/polynomials.cpp"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 110845, "scanner": "repobility-threat-engine", "fingerprint": "bec119cc699c600cc8dcdaca6188545623795f39e3df2d746bf1319dfa2de349", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bec119cc699c600cc8dcdaca6188545623795f39e3df2d746bf1319dfa2de349"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ci/utils/filter_package_versions.py"}, "region": {"startLine": 36}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 110844, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}]}]}