{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `get_pkg_hash_from_Packages` has cognitive complexity 24 (SonarSource scal", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `get_pkg_hash_from_Packages` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 24."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED075] C Malloc No Check (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.DOCKER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, w", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.DOCKER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_TOKEN }` lets a PR from any fork exfiltrate the secret ("}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.", "shortDescription": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1230"}, "properties": {"repository": "termux/termux-packages", "repoUrl": "https://github.com/termux/termux-packages", "branch": "master"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 123779, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `get_pkg_hash_from_Packages` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, elif=2, for=2, if=3, nested_bonus=16."}, "properties": {"repobilityId": 123775, "scanner": "repobility-threat-engine", "fingerprint": "147da7bfe9ec129a2dd38ea6a613991bc0483dcbda97f88de49d6f25b63b6491", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 24 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_pkg_hash_from_Packages", "breakdown": {"if": 3, "for": 2, "elif": 2, "break": 1, "nested_bonus": 16}, "complexity": 24, "correlation_key": "fp|147da7bfe9ec129a2dd38ea6a613991bc0483dcbda97f88de49d6f25b63b6491"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/get_hash_from_file.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123805, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4d117e3e64de32ce451a509a392a9de4c7dca79ace4050c04d9ddbecbd1e02ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libnl/getsubopt.c", "duplicate_line": 1, "correlation_key": "fp|4d117e3e64de32ce451a509a392a9de4c7dca79ace4050c04d9ddbecbd1e02ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x11-packages/scrot/getsubopt.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123804, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff290cacb02baf4b46e376ff29fd643c8559b5457bf2d2fdc7e7ef2aef18f94f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libnl/getsubopt.c", "duplicate_line": 1, "correlation_key": "fp|ff290cacb02baf4b46e376ff29fd643c8559b5457bf2d2fdc7e7ef2aef18f94f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/v4l-utils/getsubopt.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123803, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b9858bf6213bd013647941a34817d463fb55ffe24ae7c5a7779949d87b63484", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libvbisam/efgcvt-dbl-macros.h", "duplicate_line": 2, "correlation_key": "fp|0b9858bf6213bd013647941a34817d463fb55ffe24ae7c5a7779949d87b63484"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/nfs-utils/versionsort.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123802, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bef4581b02643da3cf1b0ee67f87dd6b90ceb838593519e51e8bc31bd234487e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "root-packages/arp-scan/hsearch/search.h", "duplicate_line": 1, "correlation_key": "fp|bef4581b02643da3cf1b0ee67f87dd6b90ceb838593519e51e8bc31bd234487e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/mtr/hsearch/search.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123801, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9793423db988fc6eaa1e1fcad41d9a068cbb7f2f7e6b57ab11fcbc22a720f801", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libelf/search/hsearch_r.c", "duplicate_line": 23, "correlation_key": "fp|9793423db988fc6eaa1e1fcad41d9a068cbb7f2f7e6b57ab11fcbc22a720f801"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/mtr/hsearch/hsearch_r.c"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123800, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a4ba96ce069efcdd5749ffe6430b6a1e26cc48ff89432b64f4c3bfd86c5c313", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "root-packages/arp-scan/hsearch/hsearch_r.c", "duplicate_line": 1, "correlation_key": "fp|2a4ba96ce069efcdd5749ffe6430b6a1e26cc48ff89432b64f4c3bfd86c5c313"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/mtr/hsearch/hsearch_r.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123799, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e8ddb27da8e5945fd113cfdd8889bedc1c66b2748c89e23bb5cb7368cb5043ee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libelf/search/hcreate_r.c", "duplicate_line": 2, "correlation_key": "fp|e8ddb27da8e5945fd113cfdd8889bedc1c66b2748c89e23bb5cb7368cb5043ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/mtr/hsearch/hcreate_r.c"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123798, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dbb5687a57c2ec759cca9fed4ad87bfda7b6a1819914e9a8c97dcccb10a9e0fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "root-packages/arp-scan/hsearch/hcreate_r.c", "duplicate_line": 1, "correlation_key": "fp|dbb5687a57c2ec759cca9fed4ad87bfda7b6a1819914e9a8c97dcccb10a9e0fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/mtr/hsearch/hcreate_r.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123797, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39cf96c7f8dc2c40b490a581d12ffd220837ff67347205d2e85727e6e772182e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "root-packages/arp-scan/hsearch/hcreate.c", "duplicate_line": 1, "correlation_key": "fp|39cf96c7f8dc2c40b490a581d12ffd220837ff67347205d2e85727e6e772182e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/mtr/hsearch/hcreate.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e6102e6f98c864d569f0e40b74729b6f995ac1400bec635a4e69664d5ec430a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libelf/search/hsearch_r.c", "duplicate_line": 23, "correlation_key": "fp|9e6102e6f98c864d569f0e40b74729b6f995ac1400bec635a4e69664d5ec430a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/arp-scan/hsearch/hsearch_r.c"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123795, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3419c8e1b6d60f9c30df34587fab5c38ce5c3674efcebb9a5a9afac2ab3f542", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libelf/search/hcreate_r.c", "duplicate_line": 2, "correlation_key": "fp|e3419c8e1b6d60f9c30df34587fab5c38ce5c3674efcebb9a5a9afac2ab3f542"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "root-packages/arp-scan/hsearch/hcreate_r.c"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123794, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f86e9d48084581bbbb4daae235b4d081405085296a8cba1d92e7eff6567bf36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pulseaudio/module-aaudio-sink.c", "duplicate_line": 272, "correlation_key": "fp|8f86e9d48084581bbbb4daae235b4d081405085296a8cba1d92e7eff6567bf36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pulseaudio/module-sles-source.c"}, "region": {"startLine": 280}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123793, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0705a297a37ed9a33325e9f39179f28532e8640fc5a4cc25793217d47336f2e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pulseaudio/module-sles-sink.c", "duplicate_line": 189, "correlation_key": "fp|0705a297a37ed9a33325e9f39179f28532e8640fc5a4cc25793217d47336f2e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pulseaudio/module-sles-source.c"}, "region": {"startLine": 97}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123792, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fac1d31719ac61a50bdf923129963a44a96b3bc8e2dbcececc305757dc9bcf83", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/pulseaudio/module-aaudio-sink.c", "duplicate_line": 1, "correlation_key": "fp|fac1d31719ac61a50bdf923129963a44a96b3bc8e2dbcececc305757dc9bcf83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/pulseaudio/module-sles-sink.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123791, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e68b4b0ccc97a6dc01951a3a038ddfac9db022c1f196cc060dbbff719972e646", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libnl/getsubopt.c", "duplicate_line": 1, "correlation_key": "fp|e68b4b0ccc97a6dc01951a3a038ddfac9db022c1f196cc060dbbff719972e646"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/memcached/getsubopt.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123790, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97b7bed2b701f40678f01fad833583ede070ab672df345e6c37f714f81339595", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libvbisam/efgcvt-dbl-macros.h", "duplicate_line": 1, "correlation_key": "fp|97b7bed2b701f40678f01fad833583ede070ab672df345e6c37f714f81339595"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libvbisam/efgcvt_r-template.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123789, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ecde7f30c45ebbccbf545d196dc8a60b2dbdc164a9931f7b9f3e319ffa087c44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libhdf5/aarch64/H5lib_settings.c", "duplicate_line": 1, "correlation_key": "fp|ecde7f30c45ebbccbf545d196dc8a60b2dbdc164a9931f7b9f3e319ffa087c44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libhdf5/x86_64/H5lib_settings.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123788, "scanner": "repobility-ai-code-hygiene", "fingerprint": "18c20d48cc05d4c55146c87db3afcc3862fbd812d872bf8e8f5cad84f3512f97", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libhdf5/aarch64/H5Tinit.c", "duplicate_line": 1, "correlation_key": "fp|18c20d48cc05d4c55146c87db3afcc3862fbd812d872bf8e8f5cad84f3512f97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libhdf5/x86_64/H5Tinit.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123787, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96ea3e8a4c3bd21cc08b418b05350539b6bf26df98c609480d5e54f2b6771d15", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libhdf5/aarch64/H5lib_settings.c", "duplicate_line": 1, "correlation_key": "fp|96ea3e8a4c3bd21cc08b418b05350539b6bf26df98c609480d5e54f2b6771d15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libhdf5/i686/H5lib_settings.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123786, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fba393ae55f6a8b7698816a2dd1062668f2fed41d4d51bde8ccf9b82df0010b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libhdf5/arm/H5Tinit.c", "duplicate_line": 56, "correlation_key": "fp|fba393ae55f6a8b7698816a2dd1062668f2fed41d4d51bde8ccf9b82df0010b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libhdf5/i686/H5Tinit.c"}, "region": {"startLine": 56}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123785, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ca8d320f38f65b22203f094724ce68fc9405c96a6407ef7016192d0882ad1ffc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libhdf5/aarch64/H5Tinit.c", "duplicate_line": 1, "correlation_key": "fp|ca8d320f38f65b22203f094724ce68fc9405c96a6407ef7016192d0882ad1ffc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libhdf5/i686/H5Tinit.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123784, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b1c28632801a9634a03b100b9278aeb31968d3b4ee2bec3717abe56d552aabc1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libhdf5/aarch64/H5lib_settings.c", "duplicate_line": 1, "correlation_key": "fp|b1c28632801a9634a03b100b9278aeb31968d3b4ee2bec3717abe56d552aabc1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libhdf5/arm/H5lib_settings.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123783, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7924027500cf54bebabc5741cf9f2cb185dfc9fa6613a9a0644828458415ec72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/libhdf5/aarch64/H5Tinit.c", "duplicate_line": 1, "correlation_key": "fp|7924027500cf54bebabc5741cf9f2cb185dfc9fa6613a9a0644828458415ec72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libhdf5/arm/H5Tinit.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123782, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e7a4d826b55ad7faa42d2c00f7c365f09b8e3fe42e89a230c413a547984276b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "disabled-packages/anacron/obstack.h", "duplicate_line": 1, "correlation_key": "fp|e7a4d826b55ad7faa42d2c00f7c365f09b8e3fe42e89a230c413a547984276b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libelf/obstack.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123781, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c7faedc0619c253e70583e7b53c30d17670ea761b292ba076096c25a2687c5f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/fish/ctermid.c", "duplicate_line": 1, "correlation_key": "fp|c7faedc0619c253e70583e7b53c30d17670ea761b292ba076096c25a2687c5f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libandroid-posix-semaphore/semaphore.c"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 123780, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b3fda92340a5bb2abd50b6e04a040f5225d9c0f83e34f9f0d89a2974c42d7aa6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "disabled-packages/anacron/obstack.h", "duplicate_line": 1, "correlation_key": "fp|b3fda92340a5bb2abd50b6e04a040f5225d9c0f83e34f9f0d89a2974c42d7aa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/dwarves/obstack.h"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 123778, "scanner": "repobility-threat-engine", "fingerprint": "5ba3c08a3f9f6b821018f08fa8f57f1e0162b0fcdea821ee22bc862b9ad01ba3", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'/binary-'+arch+'/Packages'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5ba3c08a3f9f6b821018f08fa8f57f1e0162b0fcdea821ee22bc862b9ad01ba3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/get_hash_from_file.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `get_Packages_hash_from_Release` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, continue=1, for=2, if=3, nested_bonus=4."}, "properties": {"repobilityId": 123776, "scanner": "repobility-threat-engine", "fingerprint": "e5c6d414cb3d1992fda3c06cafe3e93996c9f6d45a0615c6b9a8b5e72216fcfa", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_Packages_hash_from_Release", "breakdown": {"if": 3, "for": 2, "break": 2, "continue": 1, "nested_bonus": 4}, "complexity": 12, "correlation_key": "fp|e5c6d414cb3d1992fda3c06cafe3e93996c9f6d45a0615c6b9a8b5e72216fcfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/get_hash_from_file.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `check_manifest` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, elif=1, for=1, if=3, nested_bonus=6."}, "properties": {"repobilityId": 123774, "scanner": "repobility-threat-engine", "fingerprint": "9304e1c3fffe551c2f7bb86814b3e089691cb321fe44a718fc4da4c966604323", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "check_manifest", "breakdown": {"if": 3, "for": 1, "elif": 1, "continue": 1, "nested_bonus": 6}, "complexity": 12, "correlation_key": "fp|9304e1c3fffe551c2f7bb86814b3e089691cb321fe44a718fc4da4c966604323"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-built-packages.py"}, "region": {"startLine": 14}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 123777, "scanner": "repobility-threat-engine", "fingerprint": "33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "check_manifest", "breakdown": {"if": 3, "for": 1, "elif": 1, "continue": 1, "nested_bonus": 6}, "aggregated": true, "complexity": 12, "correlation_key": "fp|33f8a11bb9950391724aaaf564313c9967d2e5a2c97736723f8a42124b41d155", "aggregated_count": 1}}}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 123772, "scanner": "repobility-threat-engine", "fingerprint": "c2c0449eee5a53e768a7b6d1519e57d1fddf612b5ef4ccda193e8812bc703639", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c2c0449eee5a53e768a7b6d1519e57d1fddf612b5ef4ccda193e8812bc703639", "aggregated_count": 7}}}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 123771, "scanner": "repobility-threat-engine", "fingerprint": "930468afe695300b025464e7c698885a31dd4a701ca9978a5b3310a6a2ff7aa3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|930468afe695300b025464e7c698885a31dd4a701ca9978a5b3310a6a2ff7aa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libelf/search/hsearch_r.c"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 123770, "scanner": "repobility-threat-engine", "fingerprint": "cb032f8ebcdaeb1f16354cb6747e17616d8c7d49a4c185c0a0ae7c1523ee20c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb032f8ebcdaeb1f16354cb6747e17616d8c7d49a4c185c0a0ae7c1523ee20c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libelf/search/hcreate_r.c"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 123769, "scanner": "repobility-threat-engine", "fingerprint": "12299bf9b2566368e7d015e0134eac01abf3d7b0d5188f224f212811302cdcc3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12299bf9b2566368e7d015e0134eac01abf3d7b0d5188f224f212811302cdcc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/libandroid-wordexp/wordexp.c"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123836, "scanner": "repobility-supply-chain", "fingerprint": "4870bbf9ed346498ff74551f3a3e2c7e11574301468c8d1bb9747259da017aba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4870bbf9ed346498ff74551f3a3e2c7e11574301468c8d1bb9747259da017aba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check_repository_health.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123835, "scanner": "repobility-supply-chain", "fingerprint": "0b081246c1b6b7005515d46ca546e71f5823a1b41d1c52a8cc605305cabaf92e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b081246c1b6b7005515d46ca546e71f5823a1b41d1c52a8cc605305cabaf92e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golang_validation.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123834, "scanner": "repobility-supply-chain", "fingerprint": "0a30abdeb23725edbd7d250db0359378f16230ce9593b3d6d3856e6dfbbb1429", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a30abdeb23725edbd7d250db0359378f16230ce9593b3d6d3856e6dfbbb1429"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golang_validation.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123833, "scanner": "repobility-supply-chain", "fingerprint": "2b3489fb35b5cd91c062e9c37691485e85d32a0bd5d5e0d29fe70dade29b7e1c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b3489fb35b5cd91c062e9c37691485e85d32a0bd5d5e0d29fe70dade29b7e1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/golang_validation.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123832, "scanner": "repobility-supply-chain", "fingerprint": "f77210d85ce5f470469323031377c02eda1a7b959ddc560420cc46d420f35db1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f77210d85ce5f470469323031377c02eda1a7b959ddc560420cc46d420f35db1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bootstrap_archives.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123831, "scanner": "repobility-supply-chain", "fingerprint": "87ae0012262ce8d066e1bcf91903aff03f7044efaa9be7f8eb0ef7ba7c3e9666", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|87ae0012262ce8d066e1bcf91903aff03f7044efaa9be7f8eb0ef7ba7c3e9666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bootstrap_archives.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123830, "scanner": "repobility-supply-chain", "fingerprint": "643154c45d938fba56556c943b31c4037229b458ac5b7eded6341fce2c303718", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|643154c45d938fba56556c943b31c4037229b458ac5b7eded6341fce2c303718"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bootstrap_archives.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123829, "scanner": "repobility-supply-chain", "fingerprint": "22977d2fbd950d9295a6b7132ef4cfdbb5feb03c77697375e8bbf1868ebf0657", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|22977d2fbd950d9295a6b7132ef4cfdbb5feb03c77697375e8bbf1868ebf0657"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bootstrap_archives.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123827, "scanner": "repobility-supply-chain", "fingerprint": "fab3b0f92c85a8d35b986a73076c842c7a7e8f3eab5ec15b6b0843ff1151b0e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fab3b0f92c85a8d35b986a73076c842c7a7e8f3eab5ec15b6b0843ff1151b0e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker_image.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123826, "scanner": "repobility-supply-chain", "fingerprint": "8238fa0194963d67aff9c0189e960f701480d2ff4d014c20874187273a9aa55a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8238fa0194963d67aff9c0189e960f701480d2ff4d014c20874187273a9aa55a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/zig_validation.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123825, "scanner": "repobility-supply-chain", "fingerprint": "71630e2c30f48cc1dbf57f24c63b0f653173e44bb5bf943042a33c4ff7ff640c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71630e2c30f48cc1dbf57f24c63b0f653173e44bb5bf943042a33c4ff7ff640c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/zig_validation.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123824, "scanner": "repobility-supply-chain", "fingerprint": "b6669c53c19279d7095eb2f14a02d1dfe0674aad312e099455769c7c13b05b26", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6669c53c19279d7095eb2f14a02d1dfe0674aad312e099455769c7c13b05b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/zig_validation.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123821, "scanner": "repobility-supply-chain", "fingerprint": "03bb5ae02c62a6d3ac17a4395801c754bc85039e8e65b3d4bd1a4ae25960104d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03bb5ae02c62a6d3ac17a4395801c754bc85039e8e65b3d4bd1a4ae25960104d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 424}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123820, "scanner": "repobility-supply-chain", "fingerprint": "d7e69182ad02b73d99bc959882d651c6238d211effc6caaadc0f8c661bb94fc3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d7e69182ad02b73d99bc959882d651c6238d211effc6caaadc0f8c661bb94fc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 422}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123819, "scanner": "repobility-supply-chain", "fingerprint": "c201575599e5579fa29726e8e4ca1bf058f4a7d8ab0a28f9b8fbd7c45efddf05", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c201575599e5579fa29726e8e4ca1bf058f4a7d8ab0a28f9b8fbd7c45efddf05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 357}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123818, "scanner": "repobility-supply-chain", "fingerprint": "c80b8bd4d3a692ebbf1d8c484fc3726aa5fe79578b5650713f04d73f8ed04b81", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c80b8bd4d3a692ebbf1d8c484fc3726aa5fe79578b5650713f04d73f8ed04b81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 355}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123817, "scanner": "repobility-supply-chain", "fingerprint": "f631cc4d5fb80309ccdcce7849f2da4d4e59b608f07d584703cd4891a0d8fb05", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f631cc4d5fb80309ccdcce7849f2da4d4e59b608f07d584703cd4891a0d8fb05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 327}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123816, "scanner": "repobility-supply-chain", "fingerprint": "c197415d5d5f2a4afb11f1696318981e6f101e1b7c68d8d2349db4377118017b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c197415d5d5f2a4afb11f1696318981e6f101e1b7c68d8d2349db4377118017b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123815, "scanner": "repobility-supply-chain", "fingerprint": "c49414b165fa0a8cf9bf35aa72f298b359a744bf7c5f77b1514abefb98615608", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c49414b165fa0a8cf9bf35aa72f298b359a744bf7c5f77b1514abefb98615608"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 306}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123814, "scanner": "repobility-supply-chain", "fingerprint": "b88e98c0af933015e9917fdba40c45d41caa15a7b0dd784c20f5c928a6753c7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b88e98c0af933015e9917fdba40c45d41caa15a7b0dd784c20f5c928a6753c7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123810, "scanner": "repobility-supply-chain", "fingerprint": "b1381a9fd75d14308abf0373b6dcb22d3809e415f5c08d2a2c4fc701f0192039", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1381a9fd75d14308abf0373b6dcb22d3809e415f5c08d2a2c4fc701f0192039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/package_updates.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123809, "scanner": "repobility-supply-chain", "fingerprint": "5d0093c44d0e7989e0a100b1e6e871e881472f5eaae1e4262531a051e5c73865", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5d0093c44d0e7989e0a100b1e6e871e881472f5eaae1e4262531a051e5c73865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/package_updates.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123808, "scanner": "repobility-supply-chain", "fingerprint": "57065746de9d160d4f281717e03a09d8b440270162025e7547c1ddfa06018210", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|57065746de9d160d4f281717e03a09d8b440270162025e7547c1ddfa06018210"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123807, "scanner": "repobility-supply-chain", "fingerprint": "8cba1498ca3155532f46bd6730245fa3373680abc45b4bb7abe9919242f670c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cba1498ca3155532f46bd6730245fa3373680abc45b4bb7abe9919242f670c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123806, "scanner": "repobility-supply-chain", "fingerprint": "9dd7cef74e678df67a8a5da921d83b78c1a0058cc977d13dacfc34306e79d220", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9dd7cef74e678df67a8a5da921d83b78c1a0058cc977d13dacfc34306e79d220"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 123773, "scanner": "repobility-threat-engine", "fingerprint": "638dcb103565a49702fdd0c3777791f4776904054180585aad2e1af3803a9d26", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(m", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|638dcb103565a49702fdd0c3777791f4776904054180585aad2e1af3803a9d26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-built-packages.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 123766, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 123828, "scanner": "repobility-supply-chain", "fingerprint": "d1abd8b1327a303d4151f83fd461f4d5547bd1a2bf53c335a2574cb39cadfdda", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1abd8b1327a303d4151f83fd461f4d5547bd1a2bf53c335a2574cb39cadfdda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker_image.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GPG_PASSPHRASE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GPG_PASSPHRASE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 123823, "scanner": "repobility-supply-chain", "fingerprint": "a91dabd9bb1ede248e043ae8981ac52389d9af10326d8a3ff5076222f2252d73", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a91dabd9bb1ede248e043ae8981ac52389d9af10326d8a3ff5076222f2252d73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 432}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APTLY_API_AUTH` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APTLY_API_AUTH }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 123822, "scanner": "repobility-supply-chain", "fingerprint": "cd74ad400411b97d064c9d006dd74f2909379368bc56c1ef7699cb9f050d808a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd74ad400411b97d064c9d006dd74f2909379368bc56c1ef7699cb9f050d808a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/packages.yml"}, "region": {"startLine": 431}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TERMUXBOT2_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TERMUXBOT2_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 123813, "scanner": "repobility-supply-chain", "fingerprint": "4b1d6de9e3bc10c4fda2c41973fe1818f7d4df44af9003d46e88f26f80a05289", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b1d6de9e3bc10c4fda2c41973fe1818f7d4df44af9003d46e88f26f80a05289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/package_updates.yml"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TERMUXBOT2_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TERMUXBOT2_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 123812, "scanner": "repobility-supply-chain", "fingerprint": "54cda6ecd636a25b53e3987acd932bdc704d6a1cb28c40f8209f7ba1874c3135", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54cda6ecd636a25b53e3987acd932bdc704d6a1cb28c40f8209f7ba1874c3135"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/package_updates.yml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TERMUXBOT2_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TERMUXBOT2_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 123811, "scanner": "repobility-supply-chain", "fingerprint": "a466627765a4e7fd6a023163fcfa87589e07b8107b43e9b5e338496f995904d0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a466627765a4e7fd6a023163fcfa87589e07b8107b43e9b5e338496f995904d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/package_updates.yml"}, "region": {"startLine": 106}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 123768, "scanner": "repobility-threat-engine", "fingerprint": "e8ff374d9bb4ade3511e808748554a24d3608f3ab27470669c4a0d1cba4e20d9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e8ff374d9bb4ade3511e808748554a24d3608f3ab27470669c4a0d1cba4e20d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ruff/ctermid.c"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 123767, "scanner": "repobility-threat-engine", "fingerprint": "5c095c9a3c2d190e61bd8f24c3e9120e482b17e76735918b41d323ce0b4d0479", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5c095c9a3c2d190e61bd8f24c3e9120e482b17e76735918b41d323ce0b4d0479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/fish/ctermid.c"}, "region": {"startLine": 32}}}]}]}]}