{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `redis` image has no explicit tag", "shortDescription": {"text": "Compose service `redis` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 40 more): Same pattern found in 40 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 44 more): Same pattern found in 44 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 61 more): Same pattern found in 61 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 61 more): Same pattern found in 61 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 104 more): Same pattern found in 104 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 104 more): Same pattern found in 104 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 29 more): Same pattern found in 29 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `packages/frontend/apps/android/App/gradle/wrapper/gradle-wrapper.jar` committed in source repo: ", "shortDescription": {"text": "[MINED134] Binary file `packages/frontend/apps/android/App/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/frontend/apps/android/App/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,705 bytes) committed to a re"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:22-bookworm-slim` not pinned by digest: `FROM node:22-bookworm-slim` resolves the tag a", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:22-bookworm-slim` not pinned by digest: `FROM node:22-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Prod"}, "fullDescription": {"text": "Replace with: `FROM node:22-bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `manticoresearch/manticore:10.1.0` unpinned: `container/services image: man", "shortDescription": {"text": "[MINED126] Workflow container/services image `manticoresearch/manticore:10.1.0` unpinned: `container/services image: manticoresearch/manticore:10.1.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container "}, "fullDescription": {"text": "Replace with `manticoresearch/manticore:10.1.0@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves", "shortDescription": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files co"}, "fullDescription": {"text": "Replace with: `uses: actions/download-artifact@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express POST /global/stop has no auth: Express route POST /global/stop declared without an auth middleware in", "shortDescription": {"text": "[MINED113] Express POST /global/stop has no auth: Express route POST /global/stop declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken acce"}, "fullDescription": {"text": "Add an auth middleware: app.post('/global/stop', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Never prefill secret fields with stored values. Show a masked status such as configured/not configured, require explicit rotation to replace the value, and return the raw key only once at creation time."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC033", "name": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without fil", "shortDescription": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting ever"}, "fullDescription": {"text": "Sanitize keys BEFORE merge:\n  function sanitize(obj) {\n    delete obj.__proto__;\n    delete obj.constructor;\n    delete obj.prototype;\n    return obj;\n  }\nOr use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.TEST_SERVER_CONFIG` on a `pull_request` trigger: This workflow triggers on `pull_reque", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.TEST_SERVER_CONFIG` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TEST_SERVER_CONFIG }` lets a PR from any fork exfiltrate "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED129", "name": "[MINED129] Committed yarn npmAuthToken in .yarnrc.yml: `.yarnrc.yml` contains a yarn npmAuthToken. If this file is commi", "shortDescription": {"text": "[MINED129] Committed yarn npmAuthToken in .yarnrc.yml: `.yarnrc.yml` contains a yarn npmAuthToken. If this file is committed to the repo, the credential is leaked to every developer and CI system. Anyone with read access to the repo can pub"}, "fullDescription": {"text": "1) Revoke the leaked credential immediately. 2) `git rm` the file. 3) Add it to .gitignore. 4) Use environment variables for npm/yarn/pip auth: `_authToken=${NPM_TOKEN}` (literal \u2014 npm expands env vars in .npmrc)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/841"}, "properties": {"repository": "toeverything/AFFiNE", "repoUrl": "https://github.com/toeverything/AFFiNE", "branch": "canary"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 75493, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 75492, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 75484, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 75483, "scanner": "repobility-docker", "fingerprint": "847c5d0ddb61edc5e22d04d615b38552f30d6a6b3232e06bdb69677b56dee9c8", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|847c5d0ddb61edc5e22d04d615b38552f30d6a6b3232e06bdb69677b56dee9c8", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".docker/selfhost/compose.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `redis` image has no explicit tag"}, "properties": {"repobilityId": 75482, "scanner": "repobility-docker", "fingerprint": "6b9be86824a88124c7478cee7ffb0f38cbbed28efbd278877eb52b819fa86b49", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "redis", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6b9be86824a88124c7478cee7ffb0f38cbbed28efbd278877eb52b819fa86b49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".docker/selfhost/compose.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 75475, "scanner": "repobility-docker", "fingerprint": "b6ffecc33a88cec1c6a1d6c13df1ad57e18eba806c1220c0e9fe03140ac9f7bd", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|b6ffecc33a88cec1c6a1d6c13df1ad57e18eba806c1220c0e9fe03140ac9f7bd", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `redis` image has no explicit tag"}, "properties": {"repobilityId": 75474, "scanner": "repobility-docker", "fingerprint": "5a402681878673c55e0fa692a48617d0530e479d6ae7fa5b695ec16db0ef3edd", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "redis", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5a402681878673c55e0fa692a48617d0530e479d6ae7fa5b695ec16db0ef3edd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 75470, "scanner": "repobility-docker", "fingerprint": "1a8d7527eaf554ccde6c8f41f97ec9dd0afbc6f87c57372206b9468182713346", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-bookworm-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1a8d7527eaf554ccde6c8f41f97ec9dd0afbc6f87c57372206b9468182713346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/deployment/node/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 75469, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "packages/backend/server/migrations/20251231145656_snapshot_size/migration.sql", "size_mb": 0.0}, {"path": "packages/backend/server/migrations/20240908130725_add_workspace_level_snapshot_index/migration.sql", "size_mb": 0.0}, {"path": "packages/backend/server/migrations/20230714065216_snapshot_id/migration.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 75460, "scanner": "repobility-threat-engine", "fingerprint": "2c2a2f8c275a278741b04c4b5129b4e5a941638660a4df93f34f9a84fac5abfa", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 2 ** 31);\n}\n\nexport class Random {\n  priv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c2a2f8c275a278741b04c4b5129b4e5a941638660a4df93f34f9a84fac5abfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/surface/src/utils/rough/math.ts"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 75446, "scanner": "repobility-threat-engine", "fingerprint": "ae4744c7ebe75537c21428a541bd298ba91027a11fbbab0e7b60dd238735f93d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|47|sec045", "duplicate_count": 2, "duplicate_rule_ids": ["SEC045"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["ae4744c7ebe75537c21428a541bd298ba91027a11fbbab0e7b60dd238735f93d", "df0b4ff3781a08d93ec83dea2eeec57c178a5543fe4bf4f7b0de88c7fdf4fdcf", "e0811f302d60fef5b8d8dd74946dd0509d5990d3e7ca5415343676bb66331ee5"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/bookmark/src/commands/insert-link-by-quick-search.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 75444, "scanner": "repobility-threat-engine", "fingerprint": "6e39b8a20b93c56c59c5ff882083a2e95373d4e91534559b328ca7e4320d8813", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(link, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|39|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/embed/src/embed-github-block/embed-github-block.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 75443, "scanner": "repobility-threat-engine", "fingerprint": "5a6b58309892e92410d36a6c1a90700c1e37725e894aa5c6cfeb781f6151c4a1", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(link, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|23|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/embed/src/embed-figma-block/embed-figma-block.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 75442, "scanner": "repobility-threat-engine", "fingerprint": "4f624fbb44be41906c8df7ee39115e96beada1a1451e8ab63f2cc0ba518ce30f", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(link, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|113|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/bookmark/src/bookmark-block.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 75423, "scanner": "repobility-threat-engine", "fingerprint": "147e11b6ec09ee5ff07fcbf2b80b59712151a79e93451da5049238971a4fb322", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted>}\"", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|. token|6|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/deploy/deploy.mjs"}, "region": {"startLine": 67}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 75491, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 75490, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 75489, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 75488, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 75480, "scanner": "repobility-docker", "fingerprint": "5703b209589a675b983dc882cea5af5c6a5a717732c7dcbfce92b9dbc9909bd6", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "affine", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5703b209589a675b983dc882cea5af5c6a5a717732c7dcbfce92b9dbc9909bd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".docker/selfhost/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 75479, "scanner": "repobility-docker", "fingerprint": "337b9f6cfcfb51c80656e159c1e170b26181cfb36aaed93dfd143eed8bdcdde6", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "affine", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|337b9f6cfcfb51c80656e159c1e170b26181cfb36aaed93dfd143eed8bdcdde6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".docker/selfhost/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 75476, "scanner": "repobility-docker", "fingerprint": "868c5569475fdb21bb8369b83cf2e0917c0c12b786460b1b92c8ab8789973b30", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|868c5569475fdb21bb8369b83cf2e0917c0c12b786460b1b92c8ab8789973b30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 75473, "scanner": "repobility-docker", "fingerprint": "b61cf366296ad38c63ccba5be2caa3a0acfbd0973889de43a5223530c3fee000", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b61cf366296ad38c63ccba5be2caa3a0acfbd0973889de43a5223530c3fee000"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 75471, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 75467, "scanner": "repobility-threat-engine", "fingerprint": "2451ba6411616c4d825ac06df885d286ff93552f5ba855203e04c9dfe698fa3d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'blocksuite:' + id + ':edgelessViewport'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2451ba6411616c4d825ac06df885d286ff93552f5ba855203e04c9dfe698fa3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/shared/src/services/edit-props-store.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 75461, "scanner": "repobility-threat-engine", "fingerprint": "ce3e0efe266f3b535cd753dcbf4d271f58da68d5e6aa72d352589d85a552a9a6", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|13|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/components/src/toast/html-to-element.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `affine_migration` image is selected through a build variable"}, "properties": {"repobilityId": 75481, "scanner": "repobility-docker", "fingerprint": "44e4ba043574b53bb37fc4a6632662cd434ff6fec3c28977ca046962d27af0cd", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/toeverything/affine:${AFFINE_REVISION:-stable}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|44e4ba043574b53bb37fc4a6632662cd434ff6fec3c28977ca046962d27af0cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".docker/selfhost/compose.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `affine` image is selected through a build variable"}, "properties": {"repobilityId": 75478, "scanner": "repobility-docker", "fingerprint": "50ce8956a0761238539f6fc36fe1c6e7f92406d05888145b964dece59202afc7", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "ghcr.io/toeverything/affine:${AFFINE_REVISION:-stable}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|50ce8956a0761238539f6fc36fe1c6e7f92406d05888145b964dece59202afc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".docker/selfhost/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `indexer` image is selected through a build variable"}, "properties": {"repobilityId": 75477, "scanner": "repobility-docker", "fingerprint": "6520b83fc0e551ddbce04fc21ec32e27a9721e5f55cb6324cfa3e3de7151ecc5", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "manticoresearch/manticore:${MANTICORE_VERSION:-10.1.0}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|6520b83fc0e551ddbce04fc21ec32e27a9721e5f55cb6324cfa3e3de7151ecc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 75466, "scanner": "repobility-threat-engine", "fingerprint": "be90d75ea96fe95d3f87d008bf940d95d90b7da9547b03a139a52ffac87406a6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|be90d75ea96fe95d3f87d008bf940d95d90b7da9547b03a139a52ffac87406a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/data-view/src/property-presets/number/utils/formats.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 75465, "scanner": "repobility-threat-engine", "fingerprint": "77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|77c15976f0768a666e6053652fdae4975605bc47b9aed04f29b3262667fd5d8b", "aggregated_count": 5}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 75464, "scanner": "repobility-threat-engine", "fingerprint": "21f8b3b7048bd21eb7c92141fb9b10137cd8b3fa815e35023dcc4e00fed3dd1e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21f8b3b7048bd21eb7c92141fb9b10137cd8b3fa815e35023dcc4e00fed3dd1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/data-view/src/core/view/data-view-base.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 75463, "scanner": "repobility-threat-engine", "fingerprint": "f7e230d1b85029bc691be21a8556e3497fdb9206c525e5d09a722569f591b5e2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f7e230d1b85029bc691be21a8556e3497fdb9206c525e5d09a722569f591b5e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/data-view/src/core/view-manager/single-view.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 75462, "scanner": "repobility-threat-engine", "fingerprint": "efda9eae41e870d718fc9396f941e7832daca47b9664d9b9009011a2d33799f1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|efda9eae41e870d718fc9396f941e7832daca47b9664d9b9009011a2d33799f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/data-view/src/core/logical/type.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 75455, "scanner": "repobility-threat-engine", "fingerprint": "273f4901d453365aaaf98b3a4ae478e2a501c22c491b480a6fc69dacbee71abf", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|273f4901d453365aaaf98b3a4ae478e2a501c22c491b480a6fc69dacbee71abf"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 75451, "scanner": "repobility-threat-engine", "fingerprint": "a76cbdc98f8dde1c3c34a513671d88e9a2f08a24d770d40bc43612ccd004bada", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a76cbdc98f8dde1c3c34a513671d88e9a2f08a24d770d40bc43612ccd004bada", "aggregated_count": 3}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 75450, "scanner": "repobility-threat-engine", "fingerprint": "7d2527e37cbeb402bcd86bcf9a41458d4fd1fb7cfc3527b7136ff554d6171baf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7d2527e37cbeb402bcd86bcf9a41458d4fd1fb7cfc3527b7136ff554d6171baf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/components/src/peek/peekable.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 75449, "scanner": "repobility-threat-engine", "fingerprint": "6c522eb445adfe3cf98fe5f73489b7f8acb0c582103f6d4e67fd82a015df478d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c522eb445adfe3cf98fe5f73489b7f8acb0c582103f6d4e67fd82a015df478d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/data-view/src/data-source.ts"}, "region": {"startLine": 293}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 75448, "scanner": "repobility-threat-engine", "fingerprint": "d6d71292b703e9555db9e7d7b0b16dde138880099fb223b7f7e7433f2aa20160", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6d71292b703e9555db9e7d7b0b16dde138880099fb223b7f7e7433f2aa20160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/code/src/code-block-service.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 75447, "scanner": "repobility-threat-engine", "fingerprint": "3ab4586a3db8c5d3564335dc0392f39671d03d5fced905bd1eb16e59bcf6301f", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3ab4586a3db8c5d3564335dc0392f39671d03d5fced905bd1eb16e59bcf6301f"}}}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 75445, "scanner": "repobility-threat-engine", "fingerprint": "be1de572e8dfca8563b4873dc72949759dd4f7533f2e1000b193ce51b81a5bba", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|be1de572e8dfca8563b4873dc72949759dd4f7533f2e1000b193ce51b81a5bba"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "properties": {"repobilityId": 75441, "scanner": "repobility-threat-engine", "fingerprint": "b13b0a7a8bb74ca2d81dc12323eb1c7f6b3a9681090a54be187e59a2c3e9f7e3", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b13b0a7a8bb74ca2d81dc12323eb1c7f6b3a9681090a54be187e59a2c3e9f7e3"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 61 more): Same pattern found in 61 additional files. Review if needed."}, "properties": {"repobilityId": 75437, "scanner": "repobility-threat-engine", "fingerprint": "15b3b620a89366bab62f231c0712ad1926b50a5037ac9074d348c0e56380c1eb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 61 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|15b3b620a89366bab62f231c0712ad1926b50a5037ac9074d348c0e56380c1eb", "aggregated_count": 61}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 75436, "scanner": "repobility-threat-engine", "fingerprint": "c69ccc5da840da1aeaabd5312f672793d2b75b773e5b8d78635e3fd1673de8b9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c69ccc5da840da1aeaabd5312f672793d2b75b773e5b8d78635e3fd1673de8b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/database/src/selection.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 75435, "scanner": "repobility-threat-engine", "fingerprint": "65814297455922dd80b9ada664f9db375befba662d0423e7a9e3694638a8011c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|65814297455922dd80b9ada664f9db375befba662d0423e7a9e3694638a8011c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/database/src/properties/rich-text/cell-renderer.ts"}, "region": {"startLine": 366}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 75434, "scanner": "repobility-threat-engine", "fingerprint": "a4a4c33d71334a06ffa06a60de21c499c93c0a966101c76ba1f8d84283870c69", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a4a4c33d71334a06ffa06a60de21c499c93c0a966101c76ba1f8d84283870c69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/attachment/src/edgeless-clipboard-config.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 104 more): Same pattern found in 104 additional files. Review if needed."}, "properties": {"repobilityId": 75433, "scanner": "repobility-threat-engine", "fingerprint": "2b2f1d67b4521ac2bc76786487fa1596c2b4712b0c33ab582ae55e55a1d5d76c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 104 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2b2f1d67b4521ac2bc76786487fa1596c2b4712b0c33ab582ae55e55a1d5d76c", "aggregated_count": 104}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 75432, "scanner": "repobility-threat-engine", "fingerprint": "f1c857c3b8954363a3f9e0b9053b90eb3750f41c2049e6be6407c2ff7826e626", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f1c857c3b8954363a3f9e0b9053b90eb3750f41c2049e6be6407c2ff7826e626"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/attachment/src/adapters/markdown.ts"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 75431, "scanner": "repobility-threat-engine", "fingerprint": "d24287c8e465e4597e5798f00b70eb4a3377ae83681cc9750c1ab50768e55521", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d24287c8e465e4597e5798f00b70eb4a3377ae83681cc9750c1ab50768e55521"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/all/vitest.config.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 75430, "scanner": "repobility-threat-engine", "fingerprint": "fa5644c3867b21d98cca11344c8eb396fc9e4ba9517a8f157de1fc2b28661764", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fa5644c3867b21d98cca11344c8eb396fc9e4ba9517a8f157de1fc2b28661764"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/deploy/deploy.mjs"}, "region": {"startLine": 169}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 75429, "scanner": "repobility-threat-engine", "fingerprint": "8300e1dddda87ad78ed7e3e11aa700622223a5af0741a311792ff73df507b349", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8300e1dddda87ad78ed7e3e11aa700622223a5af0741a311792ff73df507b349"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 75422, "scanner": "repobility-threat-engine", "fingerprint": "e7cd40d7b324241c80937e7a6f550054df46cdde533de8ce7a56977f55a98866", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e7cd40d7b324241c80937e7a6f550054df46cdde533de8ce7a56977f55a98866", "aggregated_count": 6}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 75421, "scanner": "repobility-threat-engine", "fingerprint": "0d2c02f96e0d0a1b051144ea582795198faec4c98122d3c9857dec3746a82eca", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0d2c02f96e0d0a1b051144ea582795198faec4c98122d3c9857dec3746a82eca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/embed/src/embed-github-block/configs/tooltips.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 75420, "scanner": "repobility-threat-engine", "fingerprint": "7e944a53e0367a522db1446ac55fc3982eefcdd03c004fbd0f18fc4694f2043d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7e944a53e0367a522db1446ac55fc3982eefcdd03c004fbd0f18fc4694f2043d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/embed/src/embed-figma-block/configs/tooltips.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 75419, "scanner": "repobility-threat-engine", "fingerprint": "56164ffe36a6fd9d4b6ed425c95dda40fdaf6561a2106d05a7eec5af5ce23fe3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|56164ffe36a6fd9d4b6ed425c95dda40fdaf6561a2106d05a7eec5af5ce23fe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 75417, "scanner": "repobility-threat-engine", "fingerprint": "e357202075a7ceb7d86ebb6f88bac7272b0a59bc232b9719a2a76f37602f3021", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e357202075a7ceb7d86ebb6f88bac7272b0a59bc232b9719a2a76f37602f3021"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/setup-user.sh"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 75416, "scanner": "repobility-threat-engine", "fingerprint": "2a77c23e02801f6de7b1bbf56cc7809c61eabb0d8a4c01d4998ee656f07e34d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a77c23e02801f6de7b1bbf56cc7809c61eabb0d8a4c01d4998ee656f07e34d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/build.sh"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `packages/frontend/apps/android/App/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/frontend/apps/android/App/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,705 bytes) committed to a repo that otherwise has 7800 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 75556, "scanner": "repobility-supply-chain", "fingerprint": "94859c182b3405dee243f7b59849d340329c070fc67b0bfc4a2f9a74943b37bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94859c182b3405dee243f7b59849d340329c070fc67b0bfc4a2f9a74943b37bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/apps/android/App/gradle/wrapper/gradle-wrapper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-bookworm-slim` not pinned by digest: `FROM node:22-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 75555, "scanner": "repobility-supply-chain", "fingerprint": "101272f14a2f5ec1aff41bd4f54d47c407c82e71349f62d299666247c631165c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|101272f14a2f5ec1aff41bd4f54d47c407c82e71349f62d299666247c631165c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/deployment/node/Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-bookworm-slim` not pinned by digest: `FROM node:22-bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 75554, "scanner": "repobility-supply-chain", "fingerprint": "d27423c99abc8c317cfc736e57ca71338195ba9a6a8b75a4ac4f072510fe0a85", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d27423c99abc8c317cfc736e57ca71338195ba9a6a8b75a4ac4f072510fe0a85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/deployment/node/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `manticoresearch/manticore:10.1.0` unpinned: `container/services image: manticoresearch/manticore:10.1.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75553, "scanner": "repobility-supply-chain", "fingerprint": "7e154b1e5c9e226e3228c2d707a03030c442695e9d6c461db56e35c95907c73a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e154b1e5c9e226e3228c2d707a03030c442695e9d6c461db56e35c95907c73a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 1144}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `mailhog/mailhog` unpinned: `container/services image: mailhog/mailhog` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75552, "scanner": "repobility-supply-chain", "fingerprint": "6e9ea121057c573e1f6f2a7da1f70f8f351c7e9c0f92d38c8f462ca9e82b29a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6e9ea121057c573e1f6f2a7da1f70f8f351c7e9c0f92d38c8f462ca9e82b29a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 1139}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg16` unpinned: `container/services image: pgvector/pgvector:pg16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75551, "scanner": "repobility-supply-chain", "fingerprint": "e41ff9170f9281c91ec2ce7b27b73d94179e2e87fb4c87930035e71914e1ecae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e41ff9170f9281c91ec2ce7b27b73d94179e2e87fb4c87930035e71914e1ecae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 1124}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `manticoresearch/manticore:10.1.0` unpinned: `container/services image: manticoresearch/manticore:10.1.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75550, "scanner": "repobility-supply-chain", "fingerprint": "0fa8e0090421a3d8fec04a6beafa952842d1f24853ae55f4b0ef9b282e767558", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fa8e0090421a3d8fec04a6beafa952842d1f24853ae55f4b0ef9b282e767558"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 1061}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg16` unpinned: `container/services image: pgvector/pgvector:pg16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75549, "scanner": "repobility-supply-chain", "fingerprint": "8e5349dc5eddfee43ee58bef890d8c85b012db3b7d8fae82ad5299559d397a14", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e5349dc5eddfee43ee58bef890d8c85b012db3b7d8fae82ad5299559d397a14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 1046}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `manticoresearch/manticore:10.1.0` unpinned: `container/services image: manticoresearch/manticore:10.1.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75548, "scanner": "repobility-supply-chain", "fingerprint": "8e6301f7e35920b66750b8a4b907cfd00611a76412022a7f50bef4b0ad39fe5a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e6301f7e35920b66750b8a4b907cfd00611a76412022a7f50bef4b0ad39fe5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 988}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `mailhog/mailhog` unpinned: `container/services image: mailhog/mailhog` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75547, "scanner": "repobility-supply-chain", "fingerprint": "58955c4f36fbe3aa587fc9568de3ff64bd5510b5a63f0eae46c0ce52f403891b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58955c4f36fbe3aa587fc9568de3ff64bd5510b5a63f0eae46c0ce52f403891b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 983}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg16` unpinned: `container/services image: pgvector/pgvector:pg16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75546, "scanner": "repobility-supply-chain", "fingerprint": "1e13d279214fa19814f85f0151d560de56d6f46c0b257d5d05f008d0fbeb74a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e13d279214fa19814f85f0151d560de56d6f46c0b257d5d05f008d0fbeb74a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 968}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `manticoresearch/manticore:10.1.0` unpinned: `container/services image: manticoresearch/manticore:10.1.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75545, "scanner": "repobility-supply-chain", "fingerprint": "44e73adf9d0188447633b71774de748d19d2d8ab3da30d13d3949f2b09fc3652", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44e73adf9d0188447633b71774de748d19d2d8ab3da30d13d3949f2b09fc3652"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 764}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg16` unpinned: `container/services image: pgvector/pgvector:pg16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75544, "scanner": "repobility-supply-chain", "fingerprint": "d000a7bcee7a204bc2611d21218e42bec5fdf58ae431e720437dad6c6b65fd1e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d000a7bcee7a204bc2611d21218e42bec5fdf58ae431e720437dad6c6b65fd1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 749}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `mailhog/mailhog` unpinned: `container/services image: mailhog/mailhog` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75543, "scanner": "repobility-supply-chain", "fingerprint": "7eb435ab5a2472f23f54feb6ad6d706631e4d23b3347710c8861bee6df4eba8f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7eb435ab5a2472f23f54feb6ad6d706631e4d23b3347710c8861bee6df4eba8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 686}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg16` unpinned: `container/services image: pgvector/pgvector:pg16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75542, "scanner": "repobility-supply-chain", "fingerprint": "c65b3ff8f20656915c235da6555b34a96b1b94bbde9b4e0d42308471b8998a29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c65b3ff8f20656915c235da6555b34a96b1b94bbde9b4e0d42308471b8998a29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 671}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `manticoresearch/manticore:10.1.0` unpinned: `container/services image: manticoresearch/manticore:10.1.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75541, "scanner": "repobility-supply-chain", "fingerprint": "f2418a5ef8ca8209493d88dd39eddc880ecb7079de6103dfe4a8d6d8b711f8fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2418a5ef8ca8209493d88dd39eddc880ecb7079de6103dfe4a8d6d8b711f8fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 620}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `mailhog/mailhog` unpinned: `container/services image: mailhog/mailhog` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75540, "scanner": "repobility-supply-chain", "fingerprint": "4cbb7426fe6a9a6721b8e3b7a127bf03674135b61447c1d222eea4fec585a3af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4cbb7426fe6a9a6721b8e3b7a127bf03674135b61447c1d222eea4fec585a3af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 615}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg16` unpinned: `container/services image: pgvector/pgvector:pg16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75539, "scanner": "repobility-supply-chain", "fingerprint": "13cba7e4325bc2b5f0f774deff1db30bf0a40d272b12399be8a69d8b90a1040b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13cba7e4325bc2b5f0f774deff1db30bf0a40d272b12399be8a69d8b90a1040b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 600}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `manticoresearch/manticore:10.1.0` unpinned: `container/services image: manticoresearch/manticore:10.1.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75531, "scanner": "repobility-supply-chain", "fingerprint": "c5e3a4a87af643a000fa51d74c1d83dd64970b68aba22e4a8ba3921f4986c539", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c5e3a4a87af643a000fa51d74c1d83dd64970b68aba22e4a8ba3921f4986c539"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-test.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg16` unpinned: `container/services image: pgvector/pgvector:pg16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75530, "scanner": "repobility-supply-chain", "fingerprint": "ddb3832857efc9cf16c4522caa468c525e9bc2efc6e147160c72453310590aaa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ddb3832857efc9cf16c4522caa468c525e9bc2efc6e147160c72453310590aaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-test.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `manticoresearch/manticore:10.1.0` unpinned: `container/services image: manticoresearch/manticore:10.1.0` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75529, "scanner": "repobility-supply-chain", "fingerprint": "7a550dd4e4451eaea8947bf8469c8cbf38c98556418dd2e0ec15065465e29a43", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a550dd4e4451eaea8947bf8469c8cbf38c98556418dd2e0ec15065465e29a43"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-test.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `mailhog/mailhog` unpinned: `container/services image: mailhog/mailhog` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75528, "scanner": "repobility-supply-chain", "fingerprint": "2153d732779b50820bb3e4d8e199c5c691191a497a1b98b644a1115c2226b1c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2153d732779b50820bb3e4d8e199c5c691191a497a1b98b644a1115c2226b1c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-test.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `pgvector/pgvector:pg16` unpinned: `container/services image: pgvector/pgvector:pg16` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 75527, "scanner": "repobility-supply-chain", "fingerprint": "4f63d0582723406b5459552de9e0f964f0ca4bede71ad6766986af18f310098a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f63d0582723406b5459552de9e0f964f0ca4bede71ad6766986af18f310098a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-test.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75526, "scanner": "repobility-supply-chain", "fingerprint": "6c463a474af3ab7beb09a396124bfcfa3fa54c2b3a7b4012a04a4136a513d228", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c463a474af3ab7beb09a396124bfcfa3fa54c2b3a7b4012a04a4136a513d228"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 477}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75525, "scanner": "repobility-supply-chain", "fingerprint": "d57a8619f3dd565e327029aa5dc088d9871e88b3928206408f542d96f7523bbe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d57a8619f3dd565e327029aa5dc088d9871e88b3928206408f542d96f7523bbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 471}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75524, "scanner": "repobility-supply-chain", "fingerprint": "fb075bae72a883dfec79819acb15108a1af1f4e1ca1919739dc7692b8d0d7211", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb075bae72a883dfec79819acb15108a1af1f4e1ca1919739dc7692b8d0d7211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 465}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75523, "scanner": "repobility-supply-chain", "fingerprint": "e7d651354f14ac759d498cfa158e53a8ef03a909f85825d6d87f77b66d74ee74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e7d651354f14ac759d498cfa158e53a8ef03a909f85825d6d87f77b66d74ee74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 460}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75522, "scanner": "repobility-supply-chain", "fingerprint": "028a33bd3c1104cf3b92c6309651721f5e5296dd8832c9098d92aa8b88d65568", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|028a33bd3c1104cf3b92c6309651721f5e5296dd8832c9098d92aa8b88d65568"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 458}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75521, "scanner": "repobility-supply-chain", "fingerprint": "f76d561b6906144c6af14b9b2178a85a080de0f5ed0542f057f6e2b7f240128e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f76d561b6906144c6af14b9b2178a85a080de0f5ed0542f057f6e2b7f240128e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 418}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v4`: `uses: actions/attest-build-provenance@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75520, "scanner": "repobility-supply-chain", "fingerprint": "86b4cb51dc6164f1c860f21ba725d4cb14993016f048c5c4d3cd0325bc882aef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86b4cb51dc6164f1c860f21ba725d4cb14993016f048c5c4d3cd0325bc882aef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 407}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75519, "scanner": "repobility-supply-chain", "fingerprint": "743525e6ecf43e6b97f940d10ef85729488d2deb788c0463456f5692f8e6ca99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|743525e6ecf43e6b97f940d10ef85729488d2deb788c0463456f5692f8e6ca99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 368}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75518, "scanner": "repobility-supply-chain", "fingerprint": "a8e37d7d10e99501c31793859679c76f31659f601b35ba87c32fabffbfc66af7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8e37d7d10e99501c31793859679c76f31659f601b35ba87c32fabffbfc66af7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 359}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75517, "scanner": "repobility-supply-chain", "fingerprint": "86bad4809f9bcd1487086f407588c05d03bd3151c940fb666e9050163666726b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86bad4809f9bcd1487086f407588c05d03bd3151c940fb666e9050163666726b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 303}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75516, "scanner": "repobility-supply-chain", "fingerprint": "258ab0c3d6d5c94c43413bfb1c80558ebd12bc3d5a62cd858b9b62b31ffc44ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|258ab0c3d6d5c94c43413bfb1c80558ebd12bc3d5a62cd858b9b62b31ffc44ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 254}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75515, "scanner": "repobility-supply-chain", "fingerprint": "7648ebd200fe64bfa18bc8cdeea247fb4db2323ff85e4f765561e007086b7b99", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7648ebd200fe64bfa18bc8cdeea247fb4db2323ff85e4f765561e007086b7b99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75514, "scanner": "repobility-supply-chain", "fingerprint": "89bcd8cf39eb1b91b9c44fb98857be7fc86657cec8305c0b84f2f65f43c5896e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89bcd8cf39eb1b91b9c44fb98857be7fc86657cec8305c0b84f2f65f43c5896e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 231}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75513, "scanner": "repobility-supply-chain", "fingerprint": "2a61079d35e9c4bb2f1804d316daabc8d86fe6cce537563843ceb55263aae319", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a61079d35e9c4bb2f1804d316daabc8d86fe6cce537563843ceb55263aae319"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75512, "scanner": "repobility-supply-chain", "fingerprint": "73a1a95b19998bd4c066a52a28debe44c0ab372d26e9373f3946652305a3d36a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73a1a95b19998bd4c066a52a28debe44c0ab372d26e9373f3946652305a3d36a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75511, "scanner": "repobility-supply-chain", "fingerprint": "88d196a4bc450f0932b6e754b25c2c7776072389d090a441a53ae10e873aeb22", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88d196a4bc450f0932b6e754b25c2c7776072389d090a441a53ae10e873aeb22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `benc-uk/workflow-dispatch` pinned to mutable ref `@v1`: `uses: benc-uk/workflow-dispatch@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75510, "scanner": "repobility-supply-chain", "fingerprint": "1a32c8bf1edec41ae2ea02c1dfc1f46dbdcb2497672338a4f39b8a3cf1f9cc04", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a32c8bf1edec41ae2ea02c1dfc1f46dbdcb2497672338a4f39b8a3cf1f9cc04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-test-automatically.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `benc-uk/workflow-dispatch` pinned to mutable ref `@v1`: `uses: benc-uk/workflow-dispatch@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75509, "scanner": "repobility-supply-chain", "fingerprint": "2c336ac11b458cf4d24c52db15dded5c1c1b978ddff952a46c0d4fc703bf459f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2c336ac11b458cf4d24c52db15dded5c1c1b978ddff952a46c0d4fc703bf459f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-test-automatically.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75508, "scanner": "repobility-supply-chain", "fingerprint": "0339851b8036eb74045e30088d73152c9de67d8ee536c866ac3a063bf0db381d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0339851b8036eb74045e30088d73152c9de67d8ee536c866ac3a063bf0db381d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop-platform.yml"}, "region": {"startLine": 220}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75507, "scanner": "repobility-supply-chain", "fingerprint": "495b837066e466b7a35acc48f485b32434b82a4297fa45bade3913aa0df52ce1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|495b837066e466b7a35acc48f485b32434b82a4297fa45bade3913aa0df52ce1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop-platform.yml"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v4`: `uses: actions/attest-build-provenance@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75506, "scanner": "repobility-supply-chain", "fingerprint": "a68b1fe6a4eb02c7eeb491a29adfbcc532336ea8fb403ac091e073c8e13ca68a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a68b1fe6a4eb02c7eeb491a29adfbcc532336ea8fb403ac091e073c8e13ca68a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop-platform.yml"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v4`: `uses: actions/attest-build-provenance@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75505, "scanner": "repobility-supply-chain", "fingerprint": "b88b76df69758df9f5c0d2c192b55b04dac0126e5418b08b239597c7e52a2200", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b88b76df69758df9f5c0d2c192b55b04dac0126e5418b08b239597c7e52a2200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop-platform.yml"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `apple-actions/import-codesign-certs` pinned to mutable ref `@v7`: `uses: apple-actions/import-codesign-certs@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75504, "scanner": "repobility-supply-chain", "fingerprint": "b4a336e451ab0ddc5594006f50ca86e94a47745fc4e87960d79709cd5f6fd4c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4a336e451ab0ddc5594006f50ca86e94a47745fc4e87960d79709cd5f6fd4c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop-platform.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v4`: `uses: actions/download-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75503, "scanner": "repobility-supply-chain", "fingerprint": "f0915567505b98bba5bfb5f09369c51ac82ebb2ca2b9610396cb318478a7ac5f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0915567505b98bba5bfb5f09369c51ac82ebb2ca2b9610396cb318478a7ac5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop-platform.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 75502, "scanner": "repobility-supply-chain", "fingerprint": "6116cb85eb9085a436e16f93811d01f9eaa729672c3e2443ee95e26394079e9d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6116cb85eb9085a436e16f93811d01f9eaa729672c3e2443ee95e26394079e9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-desktop-platform.yml"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /global/stop has no auth: Express route POST /global/stop declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75500, "scanner": "repobility-route-auth", "fingerprint": "a067752bbe12df68e13a3069105752ad65a9bbee7da054880f1630499e23ad80", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a067752bbe12df68e13a3069105752ad65a9bbee7da054880f1630499e23ad80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/media-capture-playground/server/main.ts"}, "region": {"startLine": 1060}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /global/record has no auth: Express route POST /global/record declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75499, "scanner": "repobility-route-auth", "fingerprint": "2561059610f8290c41a900e29a3c2d361e95b7cea83c32e55e1ef5316b59a577", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2561059610f8290c41a900e29a3c2d361e95b7cea83c32e55e1ef5316b59a577"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/media-capture-playground/server/main.ts"}, "region": {"startLine": 1050}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /transcribe has no auth: Express route POST /transcribe declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75498, "scanner": "repobility-route-auth", "fingerprint": "b4f64b8ecba859ebd963083052e8c93c05637458c1825205ba877bf247039da3", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b4f64b8ecba859ebd963083052e8c93c05637458c1825205ba877bf247039da3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/media-capture-playground/server/main.ts"}, "region": {"startLine": 971}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /recordings/:foldername/transcribe has no auth: Express route POST /recordings/:foldername/transcribe declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75497, "scanner": "repobility-route-auth", "fingerprint": "114c2ea99b588c2821454f44ad53e06c5c88ac5b794e174233ec47f9bcb9430c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|114c2ea99b588c2821454f44ad53e06c5c88ac5b794e174233ec47f9bcb9430c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/media-capture-playground/server/main.ts"}, "region": {"startLine": 885}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /apps/:process_id/stop has no auth: Express route POST /apps/:process_id/stop declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75496, "scanner": "repobility-route-auth", "fingerprint": "6c1ca11cfb4642a39e5ef9602c615c60f71e1d6aaad7ea59f456dc66cf9e471e", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6c1ca11cfb4642a39e5ef9602c615c60f71e1d6aaad7ea59f456dc66cf9e471e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/media-capture-playground/server/main.ts"}, "region": {"startLine": 878}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /apps/:process_id/record has no auth: Express route POST /apps/:process_id/record declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75495, "scanner": "repobility-route-auth", "fingerprint": "c790c5f9af75504a721e54eaf26141ca2fc3496bbdeae70787db9e028350ce40", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|c790c5f9af75504a721e54eaf26141ca2fc3496bbdeae70787db9e028350ce40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/media-capture-playground/server/main.ts"}, "region": {"startLine": 862}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /recordings/:foldername has no auth: Express route DELETE /recordings/:foldername declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 75494, "scanner": "repobility-route-auth", "fingerprint": "866d70465e9bd55580e98b1dcf4375691ac17938ee3ba99cd6cd89deaad7147b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|866d70465e9bd55580e98b1dcf4375691ac17938ee3ba99cd6cd89deaad7147b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/media-capture-playground/server/main.ts"}, "region": {"startLine": 793}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 75487, "scanner": "repobility-journey-contract", "fingerprint": "6722ea8d4c38e1fe8d38f719910bfa02bd533112dfb7551d147c954a20ebcbb5", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|287|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/core/src/desktop/dialogs/setting/account-setting/integrations-panel.tsx"}, "region": {"startLine": 287}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 75486, "scanner": "repobility-journey-contract", "fingerprint": "b39f781f9d960e44cb38c9ba84f93d28e623530b1ebc9a86570ffdf9e53c59f9", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|92|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/frontend/admin/src/modules/setup/create-admin.tsx"}, "region": {"startLine": 92}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 75485, "scanner": "repobility-journey-contract", "fingerprint": "d88c1357c9fd0bfd3b973834521637d2904a7ec987cc7c3ee9c42e9b4ceac84f", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|279|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/backend/server/src/core/permission/types.ts"}, "region": {"startLine": 279}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 75468, "scanner": "repobility-threat-engine", "fingerprint": "2cd9cbac89bef210d3fc4f962174ec5cbb7d1673c694121f7cdc42b56a906d45", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n    query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2cd9cbac89bef210d3fc4f962174ec5cbb7d1673c694121f7cdc42b56a906d45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/shared/src/utils/string.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 75459, "scanner": "repobility-threat-engine", "fingerprint": "25c0a41f60689c577ee0d154d5b364260dc66f5c50d11f8eb92c92df91d3de24", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[params.length] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|25c0a41f60689c577ee0d154d5b364260dc66f5c50d11f8eb92c92df91d3de24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/surface/src/utils/path-data-parser/parser.ts"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 75458, "scanner": "repobility-threat-engine", "fingerprint": "b3b89b492ca27a5cc9bd814db3c8b27dafee8e869e0ff13f73644c0f035b43fe", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b3b89b492ca27a5cc9bd814db3c8b27dafee8e869e0ff13f73644c0f035b43fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/shared/src/test-utils/affine-template.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 75457, "scanner": "repobility-threat-engine", "fingerprint": "1cb15678806f2cac7e8e694a33532e19d3d82a40821edfb8bbb96f27f80bc03a", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1cb15678806f2cac7e8e694a33532e19d3d82a40821edfb8bbb96f27f80bc03a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/root/src/edgeless/clipboard/utils.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 75456, "scanner": "repobility-threat-engine", "fingerprint": "a64543c315db939c59bd6b7d91728f537f24b9a51591db308805236f0220814d", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a64543c315db939c59bd6b7d91728f537f24b9a51591db308805236f0220814d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/embed/src/embed-iframe-block/utils.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 75454, "scanner": "repobility-threat-engine", "fingerprint": "31e6ed6c08408f0bea3ef8311ed1acb99bc333da526bf319b07e1956ecf0dafb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this._initQueue.delete(payload.id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|31e6ed6c08408f0bea3ef8311ed1acb99bc333da526bf319b07e1956ecf0dafb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/embed-doc/src/embed-synced-doc-block/init-height-extension.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 75453, "scanner": "repobility-threat-engine", "fingerprint": "cd83b24e1b5fc69d9919a07142b3b22c93b3fe77c094bb1af2757e59e3b83a75", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.docDisposeMap.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cd83b24e1b5fc69d9919a07142b3b22c93b3fe77c094bb1af2757e59e3b83a75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/data-view/src/data-source.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 75452, "scanner": "repobility-threat-engine", "fingerprint": "a6702e9ae02ae5c2ae48bb97c34e889238770b03b55c64c1f44de73292c13c63", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "text.delete(0, prefixText.length);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a6702e9ae02ae5c2ae48bb97c34e889238770b03b55c64c1f44de73292c13c63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/code/src/markdown.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 75440, "scanner": "repobility-threat-engine", "fingerprint": "1c62a9e43ca189a6ad70d5aad0d29be07c45313a8538bd4f1c7610f4cff63b3f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1c62a9e43ca189a6ad70d5aad0d29be07c45313a8538bd4f1c7610f4cff63b3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/code/src/adapters/markdown/preprocessor.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 75439, "scanner": "repobility-threat-engine", "fingerprint": "f71ada951475bc5e3e380badd62705295885118b2c09247b2b56ce8759430d26", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f71ada951475bc5e3e380badd62705295885118b2c09247b2b56ce8759430d26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/bookmark/src/components/bookmark-card.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 75438, "scanner": "repobility-threat-engine", "fingerprint": "7d9ed3387db322282466d99eb8f15ce9bb0bf4b11f8fced135752f8b51de3686", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7d9ed3387db322282466d99eb8f15ce9bb0bf4b11f8fced135752f8b51de3686"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/bookmark/src/bookmark-block.ts"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 75428, "scanner": "repobility-threat-engine", "fingerprint": "550cd55ddfcdda6256802678077da859f00d7de3ff54aa3e7aacf7fac54cc022", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(focusBlockEnd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|550cd55ddfcdda6256802678077da859f00d7de3ff54aa3e7aacf7fac54cc022"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/callout/src/configs/slash-menu.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 75427, "scanner": "repobility-threat-engine", "fingerprint": "1b686a66897a1587ab3fd2ac503def40aa54c6b0008ae44116ba008c58f9c2a3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(insertCommand", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1b686a66897a1587ab3fd2ac503def40aa54c6b0008ae44116ba008c58f9c2a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/blocks/bookmark/src/commands/insert-link-by-quick-search.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 75426, "scanner": "repobility-threat-engine", "fingerprint": "3d4d7cd8a6a2463e8a59e218d1fe1e023cc3c51db811d1994d08bc5fa654697d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(createHelmCommand", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d4d7cd8a6a2463e8a59e218d1fe1e023cc3c51db811d1994d08bc5fa654697d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/deploy/deploy.mjs"}, "region": {"startLine": 161}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 75425, "scanner": "repobility-threat-engine", "fingerprint": "69bbb6ac8c8a32d6bfbfe28656554dfa3b46e7296232b887890320b371da26bd", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, value]) => `${key}=\"${value}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|69bbb6ac8c8a32d6bfbfe28656554dfa3b46e7296232b887890320b371da26bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blocksuite/affine/shared/src/test-utils/affine-test-utils.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 75424, "scanner": "repobility-threat-engine", "fingerprint": "48da6cc2a562214ae0f70000dba8ddeaa290d4f557462f542a73902843bd8a9d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n      (host, index) => `--set global.ingress.hosts[${index}]=${host}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|48da6cc2a562214ae0f70000dba8ddeaa290d4f557462f542a73902843bd8a9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/actions/deploy/deploy.mjs"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TEST_SERVER_CONFIG` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TEST_SERVER_CONFIG }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 75538, "scanner": "repobility-supply-chain", "fingerprint": "93c04a6c01bc8410e0485c96a2db3881ff3858cb5d0342000677043b28242415", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|93c04a6c01bc8410e0485c96a2db3881ff3858cb5d0342000677043b28242415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 1084}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 75537, "scanner": "repobility-supply-chain", "fingerprint": "f4671ce2f251c50bc6496e306802fe4e1451bcfeeda9f3d6e9f2fcd05de41306", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4671ce2f251c50bc6496e306802fe4e1451bcfeeda9f3d6e9f2fcd05de41306"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 1020}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TEST_SERVER_CONFIG` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TEST_SERVER_CONFIG }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 75536, "scanner": "repobility-supply-chain", "fingerprint": "cd11b95473b908ceb4e7832a6c2171a921775f9a0b5cebae0e7583a2ff57d1e6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd11b95473b908ceb4e7832a6c2171a921775f9a0b5cebae0e7583a2ff57d1e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 1009}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 75535, "scanner": "repobility-supply-chain", "fingerprint": "7c9aa697bb940b716cdd8b48847739aa2bad034b825af98313b3e7743b3c04d7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c9aa697bb940b716cdd8b48847739aa2bad034b825af98313b3e7743b3c04d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 792}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 75534, "scanner": "repobility-supply-chain", "fingerprint": "c47a1c3293c1a37c7be9f8536d989a797183b56266daabff776b758828c687c1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c47a1c3293c1a37c7be9f8536d989a797183b56266daabff776b758828c687c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 731}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 75533, "scanner": "repobility-supply-chain", "fingerprint": "b4d48cde960ab670d232429a4f388108bf79c61e4815454fd7e789369bc5243c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4d48cde960ab670d232429a4f388108bf79c61e4815454fd7e789369bc5243c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 652}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 75532, "scanner": "repobility-supply-chain", "fingerprint": "ff79abaa9e8bc9a79c240b885ac711368cc15346f0b2918231db0a0148709950", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff79abaa9e8bc9a79c240b885ac711368cc15346f0b2918231db0a0148709950"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-test.yml"}, "region": {"startLine": 388}}}]}, {"ruleId": "MINED129", "level": "error", "message": {"text": "[MINED129] Committed yarn npmAuthToken in .yarnrc.yml: `.yarnrc.yml` contains a yarn npmAuthToken. If this file is committed to the repo, the credential is leaked to every developer and CI system. Anyone with read access to the repo can publish packages as you."}, "properties": {"repobilityId": 75501, "scanner": "repobility-supply-chain", "fingerprint": "2556623ae7a221824dbaa47ab37d491f6c4dbaa5d3e77652014997afb7a4fbfb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "committed-npmrc-token", "owasp": null, "cwe_ids": ["CWE-798", "CWE-540"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2556623ae7a221824dbaa47ab37d491f6c4dbaa5d3e77652014997afb7a4fbfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".yarnrc.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 75472, "scanner": "repobility-docker", "fingerprint": "97af3409eb1ba1b8df2614219cb03aad60d7ff386f3ecfe24868198685ff7c6b", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|97af3409eb1ba1b8df2614219cb03aad60d7ff386f3ecfe24868198685ff7c6b", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 75418, "scanner": "repobility-threat-engine", "fingerprint": "429e1a324c900fd8d293234b8dd17f687b5628afadcad296cf2ea30badd80b65", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgresql://affine:affine@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|. token|1|postgresql://affine:affine"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 13}}}]}]}]}