{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED109", "name": "[MINED109] Mutable default argument in `__repr__` (dict): `def __repr__(... = []/{}/set())` \u2014 Python's default value is ", "shortDescription": {"text": "[MINED109] Mutable default argument in `__repr__` (dict): `def __repr__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every f"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def __repr__(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Prefer a named volume or a host path outside the build context. If a repo-local path is required, add it to .dockerignore and .gitignore and verify backups separately."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `oracledb-sleep` image uses the latest tag", "shortDescription": {"text": "Compose service `oracledb-sleep` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `mssql-init` image has no explicit tag", "shortDescription": {"text": "Compose service `mssql-init` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "ERR001", "name": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG ", "shortDescription": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "fullDescription": {"text": "Log the error: `except Exception: logger.debug('cleanup failed', exc_info=True)`. Or handle specific exception types."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC014", "name": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.", "shortDescription": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "fullDescription": {"text": "Enable SSL verification. Use verify=True (default) for requests. Pin certificates if needed."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `get_all_packages` has cognitive complexity 19 (SonarSource scale). Cognit", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `get_all_packages` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recurs"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 19."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 16 more): Same pattern found in 16 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 25 more): Same pattern found in 25 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 31 more): Same pattern found in 31 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 29 more): Same pattern found in 29 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED072] Python Pass Only Class (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED075", "name": "[MINED075] C Malloc No Check (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED075] C Malloc No Check (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-690 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED013] Password In Url (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED040", "name": "[MINED040] Python Yaml Load Unsafe (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED040] Python Yaml Load Unsafe (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 6 more): Same pattern found in 6 additional files. Review", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `src/go/plugin/ibm.d/protocols/websphere/jmx/websphere_jmx_helper.jar` committed in source repo: ", "shortDescription": {"text": "[MINED134] Binary file `src/go/plugin/ibm.d/protocols/websphere/jmx/websphere_jmx_helper.jar` committed in source repo: `src/go/plugin/ibm.d/protocols/websphere/jmx/websphere_jmx_helper.jar` is a .jar binary (7,936 bytes) committed to a rep"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED128", "name": "[MINED128] go.mod replaces `github.com/gosnmp/gosnmp` \u2014 redirects to fork `github.com/ilyam8/gosnmp`: `replace github.co", "shortDescription": {"text": "[MINED128] go.mod replaces `github.com/gosnmp/gosnmp` \u2014 redirects to fork `github.com/ilyam8/gosnmp`: `replace github.com/gosnmp/gosnmp => github.com/ilyam8/gosnmp` overrides the canonical dependency with a different source (redirects to fo"}, "fullDescription": {"text": "If the replace is intentional (e.g. waiting on an upstream fix), vendor the dependency into the repo and add a comment explaining the reason. Remove the replace once upstream merges."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `debian:12` not pinned by digest: `FROM debian:12` resolves the tag at build time. The regist", "shortDescription": {"text": "[MINED118] Dockerfile FROM `debian:12` not pinned by digest: `FROM debian:12` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin"}, "fullDescription": {"text": "Replace with: `FROM debian:12@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `httpd:2.4` unpinned: `container/services image: httpd:2.4` without `@sha25", "shortDescription": {"text": "[MINED126] Workflow container/services image `httpd:2.4` unpinned: `container/services image: httpd:2.4` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipli"}, "fullDescription": {"text": "Replace with `httpd:2.4@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `shimataro/ssh-key-action` pinned to mutable ref `@v2`: `uses: shimataro/ssh-key-action@v2` resolves a", "shortDescription": {"text": "[MINED115] Action `shimataro/ssh-key-action` pinned to mutable ref `@v2`: `uses: shimataro/ssh-key-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files comp"}, "fullDescription": {"text": "Replace with: `uses: shimataro/ssh-key-action@<40-char-sha>  # v2` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assert_schema_rejects_item` used but never assigned in __init__: Method `test_view_switch_rejects_neste", "shortDescription": {"text": "[MINED108] `self.assert_schema_rejects_item` used but never assigned in __init__: Method `test_view_switch_rejects_nested_view_switch` of class `TaxonomySchemaTest` reads `self.assert_schema_rejects_item`, but no assignment to it exists in "}, "fullDescription": {"text": "Initialize `self.assert_schema_rejects_item = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_renderer_fields_are_rejected_as_item_body_siblings: Test function `test_renderer_", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_renderer_fields_are_rejected_as_item_body_siblings: Test function `test_renderer_fields_are_rejected_as_item_body_siblings` runs code but contains no assert / expect / should call \u2014 it passes regardles"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC088", "name": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM r", "shortDescription": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "fullDescription": {"text": "Remove the option. If self-signed certs are required, pin via RootCAs."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic.", "shortDescription": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC032", "name": "[SEC032] Unrestricted File Upload \u2014 no extension/MIME validation: File upload accepts the user's filename without valida", "shortDescription": {"text": "[SEC032] Unrestricted File Upload \u2014 no extension/MIME validation: File upload accepts the user's filename without validating extension, content-type, or magic bytes. Attackers upload `.php`, `.jsp`, or executable files to a web-served direc"}, "fullDescription": {"text": "Validate THREE things server-side:\n  1. Extension allowlist:\n       ALLOWED = {'.png', '.jpg', '.pdf'}\n       ext = Path(file.filename).suffix.lower()\n       if ext not in ALLOWED: abort(400)\n  2. Magic-byte check (don't trust the extension):\n       import magic\n       mime = magic.from_buffer(file.read(2048), mime=True)\n  3. Save with a random/UUID filename to a non-executable directory.\nSanitize with `werkzeug.secure_filename`. Never reuse the user's name."}, "properties": {"scanner": "repobility-threat-engine", "category": "file_upload", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED021", "name": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape.", "shortDescription": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-22 / A01:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_reques", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate th"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED107", "name": "[MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `stri", "shortDescription": {"text": "[MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes."}, "fullDescription": {"text": "Add `import string` at the top of the file."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. Th", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED022", "name": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.", "shortDescription": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-120 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/807"}, "properties": {"repository": "netdata/netdata", "repoUrl": "https://github.com/netdata/netdata", "branch": "master"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69896, "scanner": "repobility-ast-engine", "fingerprint": "b55ebcbea653dbfaeaba0ee14d2d284bb267e352684a53eb933390ee1c89e860", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b55ebcbea653dbfaeaba0ee14d2d284bb267e352684a53eb933390ee1c89e860"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/bases/FrameworkServices/SocketService.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69895, "scanner": "repobility-ast-engine", "fingerprint": "640504e86785d20449ad0b894d41da0fb1f764987482ffecd2a107cc7ce9ff2a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|640504e86785d20449ad0b894d41da0fb1f764987482ffecd2a107cc7ce9ff2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/bases/FrameworkServices/MySQLService.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69894, "scanner": "repobility-ast-engine", "fingerprint": "70d87eaf24d42b1f9aee4337c8e991d4373d36972d411a3ddd211d70ec40c6d2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|70d87eaf24d42b1f9aee4337c8e991d4373d36972d411a3ddd211d70ec40c6d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/contrib/_securetransport/low_level.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__repr__` (dict): `def __repr__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 69892, "scanner": "repobility-ast-engine", "fingerprint": "9b2cde7763caa44d1436720ba64aaa123058b04ecd7e571c3277087ffc72fb42", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9b2cde7763caa44d1436720ba64aaa123058b04ecd7e571c3277087ffc72fb42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/packages/ordered_dict.py"}, "region": {"startLine": 198}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69891, "scanner": "repobility-ast-engine", "fingerprint": "d42810bc655b844da63e0516ae5c327946140d2da5db1937d6bae2b3e56507db", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d42810bc655b844da63e0516ae5c327946140d2da5db1937d6bae2b3e56507db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/contrib/securetransport.py"}, "region": {"startLine": 280}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69890, "scanner": "repobility-ast-engine", "fingerprint": "18edaeb13a7eefeb81fbef7a7000b326d7a310ab463b1a848f26ddfaf3e84daf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|18edaeb13a7eefeb81fbef7a7000b326d7a310ab463b1a848f26ddfaf3e84daf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/contrib/securetransport.py"}, "region": {"startLine": 230}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69889, "scanner": "repobility-ast-engine", "fingerprint": "7d130b32e44f34fbda918d83f9e8a801ad5221c45bb5c25d41007cd81d047dc0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7d130b32e44f34fbda918d83f9e8a801ad5221c45bb5c25d41007cd81d047dc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/connectionpool.py"}, "region": {"startLine": 384}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69888, "scanner": "repobility-ast-engine", "fingerprint": "231938eeac9bedb0c2eb2f908bc29fd85920dd495eef1cec3aa4083e8e0d2d16", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|231938eeac9bedb0c2eb2f908bc29fd85920dd495eef1cec3aa4083e8e0d2d16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/bases/collection.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69887, "scanner": "repobility-ast-engine", "fingerprint": "e72e3ae8a73b3a182fc54a4b2e3e7e16633c39533122660c95a47e2de207dbc2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e72e3ae8a73b3a182fc54a4b2e3e7e16633c39533122660c95a47e2de207dbc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/web/mcp/bridges/stdio-python/nd-mcp.py"}, "region": {"startLine": 297}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69886, "scanner": "repobility-ast-engine", "fingerprint": "32066de71d04574a670b9ead5e6b362bbc649f779afcb9f8c6745f0af9084c82", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|32066de71d04574a670b9ead5e6b362bbc649f779afcb9f8c6745f0af9084c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/web/mcp/bridges/stdio-python/nd-mcp.py"}, "region": {"startLine": 261}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69885, "scanner": "repobility-ast-engine", "fingerprint": "89096123fd83349336eac2e9bfea9a970d90053716bccae68781fb8775fd98c9", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|89096123fd83349336eac2e9bfea9a970d90053716bccae68781fb8775fd98c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/web/mcp/bridges/stdio-python/nd-mcp.py"}, "region": {"startLine": 287}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69884, "scanner": "repobility-ast-engine", "fingerprint": "80484abe2dac932a1c6b3e18bdd310a647f0a969100656d6bf040e3bac7e19d8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|80484abe2dac932a1c6b3e18bdd310a647f0a969100656d6bf040e3bac7e19d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/web/mcp/bridges/stdio-python/nd-mcp.py"}, "region": {"startLine": 251}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69883, "scanner": "repobility-ast-engine", "fingerprint": "34ca4f7ebaa6abc33fcb167f4e28ac4c5aa7101fe870b0ef3040cddafebe5da2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|34ca4f7ebaa6abc33fcb167f4e28ac4c5aa7101fe870b0ef3040cddafebe5da2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/web/mcp/bridges/stdio-python/nd-mcp.py"}, "region": {"startLine": 335}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69882, "scanner": "repobility-ast-engine", "fingerprint": "2630ba024b444f135dd90ba6fbb80caecc27adaa43257880206476d437478307", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2630ba024b444f135dd90ba6fbb80caecc27adaa43257880206476d437478307"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/web/mcp/bridges/stdio-python/nd-mcp.py"}, "region": {"startLine": 341}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69881, "scanner": "repobility-ast-engine", "fingerprint": "c3e85f4811d43b8ed6f7a6adde49ecb5d63c1047127686fc8da286740724dea7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c3e85f4811d43b8ed6f7a6adde49ecb5d63c1047127686fc8da286740724dea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/web/mcp/bridges/stdio-python/nd-mcp.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69880, "scanner": "repobility-ast-engine", "fingerprint": "ba0e14d0c01d83a02ce9061d8ea5ee1c479b97ac185d47f939bd6b5e91971936", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ba0e14d0c01d83a02ce9061d8ea5ee1c479b97ac185d47f939bd6b5e91971936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/modules/github_actions.py"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69879, "scanner": "repobility-ast-engine", "fingerprint": "5023f51672da9540392eee9d2f85f9dfb2a842ba36cc7ffa709d4ced718b7e2e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5023f51672da9540392eee9d2f85f9dfb2a842ba36cc7ffa709d4ced718b7e2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/modules/github_actions.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69878, "scanner": "repobility-ast-engine", "fingerprint": "d38d8f82c7980c4c0fb816964801c29b876a315cef782cb14ee6bb7c8b198aa5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d38d8f82c7980c4c0fb816964801c29b876a315cef782cb14ee6bb7c8b198aa5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/modules/version_manipulation.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69877, "scanner": "repobility-ast-engine", "fingerprint": "ede4a8afafdc4f74f3172b042bd24879498cd0a31e7b41aced1489b854bc0efa", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ede4a8afafdc4f74f3172b042bd24879498cd0a31e7b41aced1489b854bc0efa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/modules/version_manipulation.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69876, "scanner": "repobility-ast-engine", "fingerprint": "2722fbc5ab25a890599083cb4166e7264f3e8ef450d093a5894adf0b4af7f695", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2722fbc5ab25a890599083cb4166e7264f3e8ef450d093a5894adf0b4af7f695"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/netdata-pkgcloud-cleanup.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69874, "scanner": "repobility-ast-engine", "fingerprint": "01a3af17a36ac18f01183c7f7dc52973794d0b9c28bd380e63dfe6dcfc4c10c8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01a3af17a36ac18f01183c7f7dc52973794d0b9c28bd380e63dfe6dcfc4c10c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/.map/validate_map_schema.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69873, "scanner": "repobility-ast-engine", "fingerprint": "2ab7de2379902e802a38916493d899d062eff7e850f5f176e556019b98073acc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|2ab7de2379902e802a38916493d899d062eff7e850f5f176e556019b98073acc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/.map/validate_map_schema.py"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69872, "scanner": "repobility-ast-engine", "fingerprint": "49b7e1d8396b26ecb01edd5c53edf6600a07e3027d98a46489c69f8b974bb29f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|49b7e1d8396b26ecb01edd5c53edf6600a07e3027d98a46489c69f8b974bb29f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/fuzzer.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69871, "scanner": "repobility-ast-engine", "fingerprint": "63609d2d04ea61615e305c64f95fa558a6484746993471d30fb9719916c6a63c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|63609d2d04ea61615e305c64f95fa558a6484746993471d30fb9719916c6a63c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/fuzzer.py"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69870, "scanner": "repobility-ast-engine", "fingerprint": "34266c5dfff1c70576052c08a5712fc734f925c785e125a3c1aa18484459b88d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|34266c5dfff1c70576052c08a5712fc734f925c785e125a3c1aa18484459b88d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/api/fuzzer.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 69829, "scanner": "repobility-ast-engine", "fingerprint": "17b0679d9f03c68c2181218ae72a9d84f471c8c2a0222ea586fa952980f157cb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|17b0679d9f03c68c2181218ae72a9d84f471c8c2a0222ea586fa952980f157cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/gen_docs_integrations.py"}, "region": {"startLine": 450}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 69825, "scanner": "repobility-docker", "fingerprint": "0b6bdb349bdc7c7638bbe31be49128deffa38c59377768a45394a410dc14c772", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "oracledb-sleep", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|0b6bdb349bdc7c7638bbe31be49128deffa38c59377768a45394a410dc14c772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 325}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 69824, "scanner": "repobility-docker", "fingerprint": "2701506e830bab72d5deaa2b3ca5a6a3d271eaa2c925f37df5f1369724030a3c", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./seed/oracledb/sleep.sh", "target": "/seed/sleep.sh", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "oracledb-sleep", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2701506e830bab72d5deaa2b3ca5a6a3d271eaa2c925f37df5f1369724030a3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 325}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `oracledb-sleep` image uses the latest tag"}, "properties": {"repobilityId": 69823, "scanner": "repobility-docker", "fingerprint": "4cdd9eabe6610fabf6f0e3888f8e88cc75110888652adc2766f57b23c88cce50", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "gvenzl/oracle-free:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|4cdd9eabe6610fabf6f0e3888f8e88cc75110888652adc2766f57b23c88cce50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 325}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 69822, "scanner": "repobility-docker", "fingerprint": "2807f13b358becb1c5d2b7c1828aa9ea84afae90496c3a3e44035d673d08ba38", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "oracledb-seed", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2807f13b358becb1c5d2b7c1828aa9ea84afae90496c3a3e44035d673d08ba38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 315}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 69821, "scanner": "repobility-docker", "fingerprint": "673e68cb8e1cd2a554a657279425c7dc6ce778e3a8acd381c4b75eeac56861ee", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./seed/oracledb/seed.sh", "target": "/seed/seed.sh", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "oracledb-seed", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|673e68cb8e1cd2a554a657279425c7dc6ce778e3a8acd381c4b75eeac56861ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 315}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `oracledb-seed` image uses the latest tag"}, "properties": {"repobilityId": 69820, "scanner": "repobility-docker", "fingerprint": "74c97871b19467449e49d493bf2ed3de39921c8625d989a09c8acec3383ee7ed", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "gvenzl/oracle-free:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|74c97871b19467449e49d493bf2ed3de39921c8625d989a09c8acec3383ee7ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 315}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 69819, "scanner": "repobility-docker", "fingerprint": "208d2e7a5ecd57b50b48372703da2754992af48297ad3a19cd10baac64cfd829", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./seed/oracledb/init.sql", "target": "/container-entrypoint-initdb.d/init.sql", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "oracledb", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|208d2e7a5ecd57b50b48372703da2754992af48297ad3a19cd10baac64cfd829"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `oracledb` image uses the latest tag"}, "properties": {"repobilityId": 69814, "scanner": "repobility-docker", "fingerprint": "d0561801766cfb7261e71ea5039b59e42463455f828f40762968a55895cecaf8", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "gvenzl/oracle-free:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d0561801766cfb7261e71ea5039b59e42463455f828f40762968a55895cecaf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 69809, "scanner": "repobility-docker", "fingerprint": "05679c5983419b7bc9f40bc8f7ac2b9c4d4720d090a18a83c50915d1d02f870e", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "proxysql-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|05679c5983419b7bc9f40bc8f7ac2b9c4d4720d090a18a83c50915d1d02f870e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 207}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 69801, "scanner": "repobility-docker", "fingerprint": "d040834fe8d2eb381639f83e4d49e313d2600f9751fe9fd5c1f025a7a5e833e7", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "clickhouse-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|d040834fe8d2eb381639f83e4d49e313d2600f9751fe9fd5c1f025a7a5e833e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69793, "scanner": "repobility-docker", "fingerprint": "7f2dcce0aa09d7da0811952c8ad75cfb446930ae58afe420d0ef0c20df99f9c8", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis-init", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|7f2dcce0aa09d7da0811952c8ad75cfb446930ae58afe420d0ef0c20df99f9c8", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69792, "scanner": "repobility-docker", "fingerprint": "b5a01bd266a6e4a290218fc16f1eb521e2f7c8872f5c0694f579a04e12fc21e0", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|b5a01bd266a6e4a290218fc16f1eb521e2f7c8872f5c0694f579a04e12fc21e0", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 69790, "scanner": "repobility-docker", "fingerprint": "80f69848279a3cad7354f502c7b23a51bee785cfeb9d62f15ba3cfcfecf1fe56", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mongo-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|80f69848279a3cad7354f502c7b23a51bee785cfeb9d62f15ba3cfcfecf1fe56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 69784, "scanner": "repobility-docker", "fingerprint": "09a297c5c1de44077ffa7c8c12cda24b375f315d392d14b776d9e623f4509dc3", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mssql-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|09a297c5c1de44077ffa7c8c12cda24b375f315d392d14b776d9e623f4509dc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 69783, "scanner": "repobility-docker", "fingerprint": "f0a53f61e2f2e8a12c1f31642e3d6763a0a43b4894a5b020203018d5d037529f", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./seed/mssql/init.sql", "target": "/seed/init.sql", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "mssql-init", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f0a53f61e2f2e8a12c1f31642e3d6763a0a43b4894a5b020203018d5d037529f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `mssql-init` image has no explicit tag"}, "properties": {"repobilityId": 69781, "scanner": "repobility-docker", "fingerprint": "2045b423a11da48a4d70f16adb5270e4863aa58cdfa2324b2ca326095e42be33", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mcr.microsoft.com/mssql-tools", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2045b423a11da48a4d70f16adb5270e4863aa58cdfa2324b2ca326095e42be33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 69766, "scanner": "repobility-docker", "fingerprint": "c21a509f03c5068f470bc754ddca9c0ac3fa769c3a8f7c86e9666c7140817089", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "netdata/base:v3", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c21a509f03c5068f470bc754ddca9c0ac3fa769c3a8f7c86e9666c7140817089"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packaging/docker/Dockerfile"}, "region": {"startLine": 98}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 69765, "scanner": "repobility-docker", "fingerprint": "b00e1907382c6cd290462f5a04ef7db6e10b9a23db060553b490f09d2a8e37fd", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|b00e1907382c6cd290462f5a04ef7db6e10b9a23db060553b490f09d2a8e37fd", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packaging/docker/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 69764, "scanner": "repobility-docker", "fingerprint": "3e94c189a9612ad2d789ba5a26a4387445d137a179ca9100b96640ea1909cc73", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "netdata/base:v3", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3e94c189a9612ad2d789ba5a26a4387445d137a179ca9100b96640ea1909cc73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 98}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 69763, "scanner": "repobility-docker", "fingerprint": "5ad0569366fabcd2a256327ef9f7831bd80374d759381ad0e26daeb00e09a2f9", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|5ad0569366fabcd2a256327ef9f7831bd80374d759381ad0e26daeb00e09a2f9", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 69762, "scanner": "repobility-docker", "fingerprint": "b13a6f8abf5be7de2dc889f2f579d4289a26722f1fd4ea38650f0a7881b5fa45", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:12", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b13a6f8abf5be7de2dc889f2f579d4289a26722f1fd4ea38650f0a7881b5fa45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/dockerfiles/Dockerfile.clang"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 69761, "scanner": "repobility-docker", "fingerprint": "361fa1ec53e6e13dc65fdfa230311c13ac814427ca0326fa9596d1f995a49b05", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|361fa1ec53e6e13dc65fdfa230311c13ac814427ca0326fa9596d1f995a49b05", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/dockerfiles/Dockerfile.clang"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 69758, "scanner": "repobility-docker", "fingerprint": "102f932c9f9088e4d7d5402e2a98b90028d248ad90e822057f936ce214031818", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "${BASE}", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|102f932c9f9088e4d7d5402e2a98b90028d248ad90e822057f936ce214031818"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/dockerfiles/Dockerfile.build_test"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 69757, "scanner": "repobility-docker", "fingerprint": "99dc3c8482d22390898912a95f769ca64845660e4d0be6eab86733cf5eb91cff", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|99dc3c8482d22390898912a95f769ca64845660e4d0be6eab86733cf5eb91cff", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/dockerfiles/Dockerfile.build_test"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 69729, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc9166a4716eb77a49c55ff801c1edd746a760f55bc2af04c3455695b418cb8c", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "rewrite", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|bc9166a4716eb77a49c55ff801c1edd746a760f55bc2af04c3455695b418cb8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/log2journal/log2journal-rewrite.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 69728, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d432826470d25e4816f52aa98bb379f48fcfc1c131a59aea64ae6020a718fe3", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "rewrite", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "src/collectors/log2journal/log2journal.c", "correlation_key": "fp|8d432826470d25e4816f52aa98bb379f48fcfc1c131a59aea64ae6020a718fe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/log2journal/log2journal-rewrite.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "ERR001", "level": "warning", "message": {"text": "[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level."}, "properties": {"repobilityId": 69675, "scanner": "repobility-threat-engine", "fingerprint": "f702f0db69b588e8edea38cbd41ed79a50b482f8290bd5ccda433427fcd1f60c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "except Exception:\n            pass", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR001", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f702f0db69b588e8edea38cbd41ed79a50b482f8290bd5ccda433427fcd1f60c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/util/connection.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC014", "level": "warning", "message": {"text": "[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks."}, "properties": {"repobilityId": 69665, "scanner": "repobility-threat-engine", "fingerprint": "015a98487f32735ecf571b66250a71fa382454e68140674d71666c98b5416d74", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "CERT_NONE", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC014", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|88|sec014"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/bases/FrameworkServices/UrlService.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 69664, "scanner": "repobility-threat-engine", "fingerprint": "c71c839ff82fc3529e6186423e6240786e4ad576c46e2c52c7f1c31a2d505f09", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def __iter__(self):\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c71c839ff82fc3529e6186423e6240786e4ad576c46e2c52c7f1c31a2d505f09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/_collections.py"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 69663, "scanner": "repobility-threat-engine", "fingerprint": "9033a745e2b6b7728e2453d5c005773771041f936870263d41b386890d6f2ce4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def _get_data(self):\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9033a745e2b6b7728e2453d5c005773771041f936870263d41b386890d6f2ce4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/bases/FrameworkServices/SimpleService.py"}, "region": {"startLine": 258}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 69658, "scanner": "repobility-threat-engine", "fingerprint": "27ffd88fc8236b74360f11c25036f9a118f15494524d92e7772f76c3addc79ad", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|37|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/pandas/pandas.chart.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 69651, "scanner": "repobility-threat-engine", "fingerprint": "078365213adf2d9f7f243acad1c0c8e2728721d6921d581124eee6e8a0ecf047", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (1.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>\"", "reason": "Low entropy value (1.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|4|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/aclk/mqtt_websockets/test.c"}, "region": {"startLine": 41}}}]}, {"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `get_all_packages` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=2, else=2, for=1, if=3, nested_bonus=10, while=1."}, "properties": {"repobilityId": 69634, "scanner": "repobility-threat-engine", "fingerprint": "490c3f521c82d96161e19513e7739700ba7f9ff36bfd2431f08237cf4aac5c9d", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 19 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "get_all_packages", "breakdown": {"if": 3, "for": 1, "else": 2, "break": 2, "while": 1, "nested_bonus": 10}, "complexity": 19, "correlation_key": "fp|490c3f521c82d96161e19513e7739700ba7f9ff36bfd2431f08237cf4aac5c9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/netdata-pkgcloud-cleanup.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 69604, "scanner": "repobility-threat-engine", "fingerprint": "bc2de87246dfe1c0cf0fe4d8e8cf1d863628dfcae5f766bfe937dc04252d5d06", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|. token|12|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-eol-check.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 69603, "scanner": "repobility-threat-engine", "fingerprint": "205bd6e6ee44546d6f4a01def62df6d50a6cf71a8a271b9ec6db23467fd42ebb", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|. token|13|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-docker.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 69602, "scanner": "repobility-threat-engine", "fingerprint": "632508d5a84c1c1d94822dbcc892124dc3570a8cbcdf27b55c87c2b0bd8baa69", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|. token|11|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-build.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 69827, "scanner": "repobility-docker", "fingerprint": "00aa1cce32ad92cf426fa1b5eeb8427e1200cb0ea56dad893bc3612ed5c2053c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "rethinkdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|00aa1cce32ad92cf426fa1b5eeb8427e1200cb0ea56dad893bc3612ed5c2053c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 335}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 69826, "scanner": "repobility-docker", "fingerprint": "cc70ed8e2c844c59ae49e9199e68dd4c6bfd6a402236aa56f291de3604541ed5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "rethinkdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cc70ed8e2c844c59ae49e9199e68dd4c6bfd6a402236aa56f291de3604541ed5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 335}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 69817, "scanner": "repobility-docker", "fingerprint": "a746b303ea3270b534a0548cc2bf0542f99f2549162a6488494a119ca0065107", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "oracledb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a746b303ea3270b534a0548cc2bf0542f99f2549162a6488494a119ca0065107"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 69815, "scanner": "repobility-docker", "fingerprint": "fb5ad60b3ce8c62dc999da04669236eacc3440eb5aa0f76def014cc251ec8da4", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "oracledb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fb5ad60b3ce8c62dc999da04669236eacc3440eb5aa0f76def014cc251ec8da4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 69813, "scanner": "repobility-docker", "fingerprint": "1805217b2a244dc79dc402e53bfe797f1d9de142b2732f20ea4ef99ee76a9017", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "yugabytedb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1805217b2a244dc79dc402e53bfe797f1d9de142b2732f20ea4ef99ee76a9017"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 267}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 69812, "scanner": "repobility-docker", "fingerprint": "f114a4ce629d0e16d9895f6c7c1ae7bac5903a23b450ae1d07c4935eab78fa0f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "yugabytedb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f114a4ce629d0e16d9895f6c7c1ae7bac5903a23b450ae1d07c4935eab78fa0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 267}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 69811, "scanner": "repobility-docker", "fingerprint": "c5d492041065010b1de914546986ef23073a4ff5cc900bcdc3856a8f229ee602", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "cockroachdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c5d492041065010b1de914546986ef23073a4ff5cc900bcdc3856a8f229ee602"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 225}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 69810, "scanner": "repobility-docker", "fingerprint": "899f77145b2fbec0e868129165b87b0173b84d8cfe248848105c0c6c65b6d448", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "cockroachdb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|899f77145b2fbec0e868129165b87b0173b84d8cfe248848105c0c6c65b6d448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 225}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 69807, "scanner": "repobility-docker", "fingerprint": "ef684297711b20e3d01d29585d5e430a46a0a1ad3c96e47ddc4f38fe7c4c3297", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "proxysql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ef684297711b20e3d01d29585d5e430a46a0a1ad3c96e47ddc4f38fe7c4c3297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 198}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 69806, "scanner": "repobility-docker", "fingerprint": "625169b1e6a7564bffe8a283358235a5b825225603ef94418c3444d1962bed16", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "proxysql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|625169b1e6a7564bffe8a283358235a5b825225603ef94418c3444d1962bed16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 198}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 69805, "scanner": "repobility-docker", "fingerprint": "9ec29fda129da17b6d425d07e3ffa147f24cc58dd51f881c544d039bc403b798", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "couchbase", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9ec29fda129da17b6d425d07e3ffa147f24cc58dd51f881c544d039bc403b798"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 69804, "scanner": "repobility-docker", "fingerprint": "39bbe95e3e86cf7078458120a7d2961a1172191ab8e4fa5254c16699dae50dcc", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "couchbase", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|39bbe95e3e86cf7078458120a7d2961a1172191ab8e4fa5254c16699dae50dcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 69796, "scanner": "repobility-docker", "fingerprint": "0268c815f074cb05696b81b48bf368c1542369bb41d61c87ba4aedbbe2a8ef70", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0268c815f074cb05696b81b48bf368c1542369bb41d61c87ba4aedbbe2a8ef70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 69795, "scanner": "repobility-docker", "fingerprint": "eba1844908ca40a433b6167e8d3d79f9a7cc576c710f07ea653abb8939c4eaf7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|eba1844908ca40a433b6167e8d3d79f9a7cc576c710f07ea653abb8939c4eaf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 69794, "scanner": "repobility-docker", "fingerprint": "3ad7dfd1a866bd7bc17acc90a977ccca125de83ab56aba08e79d9d2b7f40a6e5", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|3ad7dfd1a866bd7bc17acc90a977ccca125de83ab56aba08e79d9d2b7f40a6e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 69778, "scanner": "repobility-docker", "fingerprint": "d76f9280d35ceef3c6d753d59dad4be554b1d30e67010206b47e30ff6ec25d6e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mssql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d76f9280d35ceef3c6d753d59dad4be554b1d30e67010206b47e30ff6ec25d6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 69776, "scanner": "repobility-docker", "fingerprint": "5b831c4e24f4ef38b010743359b9c2030ebeb30d67c1ce3fb69bc246cbbbed5b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mssql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5b831c4e24f4ef38b010743359b9c2030ebeb30d67c1ce3fb69bc246cbbbed5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 69760, "scanner": "repobility-docker", "fingerprint": "b9e7a749314ea47eb0c1e9fef52430dca3ac46704fd70cc4a7332659409795a9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b9e7a749314ea47eb0c1e9fef52430dca3ac46704fd70cc4a7332659409795a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/dockerfiles/Dockerfile.clang"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 69759, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69755, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf71ec74b247be9de4a39d276ea79ecb2a6001d2d4624e01b46be017be6f57b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/journal_file/src/writer.rs", "duplicate_line": 127, "correlation_key": "fp|cf71ec74b247be9de4a39d276ea79ecb2a6001d2d4624e01b46be017be6f57b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/writer.rs"}, "region": {"startLine": 200}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69754, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1b1d7d210997eebfe70aefa244ee474d104bfcddc9f830ecb52d28db8cb561ea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/journal_file/src/value_guard.rs", "duplicate_line": 1, "correlation_key": "fp|1b1d7d210997eebfe70aefa244ee474d104bfcddc9f830ecb52d28db8cb561ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/value_guard.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69753, "scanner": "repobility-ai-code-hygiene", "fingerprint": "363094b5b22bf17922519ebe48473b8b5833b00b6151f9cfd61540f8207ed806", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/sigbus/src/lib.rs", "duplicate_line": 4, "correlation_key": "fp|363094b5b22bf17922519ebe48473b8b5833b00b6151f9cfd61540f8207ed806"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/sigbus.rs"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69752, "scanner": "repobility-ai-code-hygiene", "fingerprint": "294c6ea890f4ac8c2c54a123ebe90f1efd8f01011dcd7bb95ed89bc64ceae1b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/journal_file/src/reader.rs", "duplicate_line": 20, "correlation_key": "fp|294c6ea890f4ac8c2c54a123ebe90f1efd8f01011dcd7bb95ed89bc64ceae1b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/reader.rs"}, "region": {"startLine": 79}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69751, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5bd165c1e235334824fc08d69e39a3418284c34103e889cde7da04f5882fd47e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/journal_file/src/offset_array.rs", "duplicate_line": 5, "correlation_key": "fp|5bd165c1e235334824fc08d69e39a3418284c34103e889cde7da04f5882fd47e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/offset_array.rs"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69750, "scanner": "repobility-ai-code-hygiene", "fingerprint": "15f3f83126737e162eca82a73234eda969c7c40e7c96bddaf6390e0a423a80ef", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/window_manager/src/lib.rs", "duplicate_line": 12, "correlation_key": "fp|15f3f83126737e162eca82a73234eda969c7c40e7c96bddaf6390e0a423a80ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/mmap.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69749, "scanner": "repobility-ai-code-hygiene", "fingerprint": "53687c87ec61135a43d33782e89bfcc17f5794e620461e38c92e0d2eec0fbe6e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/journal_file/src/hash.rs", "duplicate_line": 16, "correlation_key": "fp|53687c87ec61135a43d33782e89bfcc17f5794e620461e38c92e0d2eec0fbe6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/hash.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69748, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16f93a8dcadab5de33a9d80e8ea4d76b170d0417a97f7f46ee4e5d8f1dc41e08", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/journal_file/src/filter.rs", "duplicate_line": 104, "correlation_key": "fp|16f93a8dcadab5de33a9d80e8ea4d76b170d0417a97f7f46ee4e5d8f1dc41e08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/filter.rs"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69747, "scanner": "repobility-ai-code-hygiene", "fingerprint": "acbfd0c6ec0f4b8ffddba00a7b3add2618899503d2f1016050b69aa2f9d3dfb4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/journal_file/src/cursor.rs", "duplicate_line": 5, "correlation_key": "fp|acbfd0c6ec0f4b8ffddba00a7b3add2618899503d2f1016050b69aa2f9d3dfb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/cursor.rs"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69746, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a02a8d52550c568a132beccde4584bba88016e995ccdab531e09b4afc6a0162", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/crates/jf/error/src/lib.rs", "duplicate_line": 8, "correlation_key": "fp|2a02a8d52550c568a132beccde4584bba88016e995ccdab531e09b4afc6a0162"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/error.rs"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69745, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b4b0176dd49e5919620c95904d287640c3855fa55b6d9c90d2fb2edb16e68b2f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/nfacct.plugin/plugin_nfacct.c", "duplicate_line": 608, "correlation_key": "fp|b4b0176dd49e5919620c95904d287640c3855fa55b6d9c90d2fb2edb16e68b2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/xenstat.plugin/xenstat_plugin.c"}, "region": {"startLine": 739}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69744, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0e77f4c0eeecc49152fcc4def05e020385c59ebde00ac5743e6a17169ae9483c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/python.d.plugin/python_modules/urllib3/contrib/pyopenssl.py", "duplicate_line": 260, "correlation_key": "fp|0e77f4c0eeecc49152fcc4def05e020385c59ebde00ac5743e6a17169ae9483c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/contrib/securetransport.py"}, "region": {"startLine": 472}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69743, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8992d76878982da2625d804821b4a6a81fb10929db1044f36983c7c51a19c75b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/proc.plugin/proc_spl_kstat_zfs.c", "duplicate_line": 116, "correlation_key": "fp|8992d76878982da2625d804821b4a6a81fb10929db1044f36983c7c51a19c75b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/proc.plugin/sys_class_power_supply.c"}, "region": {"startLine": 105}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69742, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43b18dec68d92328e46dfeaf7b6bc4a52250c2e12e036f37bbc676be02550c9f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/proc.plugin/proc_interrupts.c", "duplicate_line": 1, "correlation_key": "fp|43b18dec68d92328e46dfeaf7b6bc4a52250c2e12e036f37bbc676be02550c9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/proc.plugin/proc_softirqs.c"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69741, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f78e18d0f75dff98b2ad14c33b0cc6def57446bf000b3774a44f8785354af6c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/proc.plugin/proc_net_sockstat.c", "duplicate_line": 151, "correlation_key": "fp|6f78e18d0f75dff98b2ad14c33b0cc6def57446bf000b3774a44f8785354af6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/proc.plugin/proc_net_sockstat6.c"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69740, "scanner": "repobility-ai-code-hygiene", "fingerprint": "23f14a390bc27aea805fb1e0c960110fd82f2fd8bbedb78f3c4e3fb2f154551f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/proc.plugin/proc_net_rpc_nfs.c", "duplicate_line": 8, "correlation_key": "fp|23f14a390bc27aea805fb1e0c960110fd82f2fd8bbedb78f3c4e3fb2f154551f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/proc.plugin/proc_net_rpc_nfsd.c"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69739, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12191ae37bcb064ca93024e7834e1dd1646ff9df505f59d099ec80557e7cd74a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/cgroups.plugin/cgroup-top.c", "duplicate_line": 233, "correlation_key": "fp|12191ae37bcb064ca93024e7834e1dd1646ff9df505f59d099ec80557e7cd74a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/network-viewer.plugin/network-viewer-windows.c"}, "region": {"startLine": 359}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69738, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2d21d451c7923d32a2ff94f88d3823deede757b6472a954a549d9c595f80a895", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/ebpf.plugin/ebpf_filesystem.c", "duplicate_line": 791, "correlation_key": "fp|2d21d451c7923d32a2ff94f88d3823deede757b6472a954a549d9c595f80a895"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/ebpf.plugin/ebpf_sync.c"}, "region": {"startLine": 307}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69737, "scanner": "repobility-ai-code-hygiene", "fingerprint": "102438128be3b96057be4f7cdbd6aa04ae99847c9f78555006054b7a2720702e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/ebpf.plugin/ebpf_mount.c", "duplicate_line": 211, "correlation_key": "fp|102438128be3b96057be4f7cdbd6aa04ae99847c9f78555006054b7a2720702e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/ebpf.plugin/ebpf_sync.c"}, "region": {"startLine": 304}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69736, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5fff1badf07c17250bb1925f82252e3624de7c8a2168582c3ae2209ea1e35253", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/ebpf.plugin/ebpf_disk.c", "duplicate_line": 441, "correlation_key": "fp|5fff1badf07c17250bb1925f82252e3624de7c8a2168582c3ae2209ea1e35253"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/ebpf.plugin/ebpf_softirq.c"}, "region": {"startLine": 135}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69735, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b67d53317bebdcbb30d7384df187f7cd33c7e4c9048fb8faecb68773db92c1fa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/ebpf.plugin/ebpf_filesystem.c", "duplicate_line": 791, "correlation_key": "fp|b67d53317bebdcbb30d7384df187f7cd33c7e4c9048fb8faecb68773db92c1fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/ebpf.plugin/ebpf_mount.c"}, "region": {"startLine": 214}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69734, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b28caa1c63f9416fd07f7d8ae3bdad427e5942e9ef571e760347ceb3143dc706", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/ebpf.plugin/ebpf_hardirq.c", "duplicate_line": 15, "correlation_key": "fp|b28caa1c63f9416fd07f7d8ae3bdad427e5942e9ef571e760347ceb3143dc706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/ebpf.plugin/ebpf_mount.c"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69733, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ae6cfeaface5a78e71561f377fe5510717e4b9922067185cc1ee7ac1464621d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/ebpf.plugin/ebpf_filesystem.c", "duplicate_line": 790, "correlation_key": "fp|8ae6cfeaface5a78e71561f377fe5510717e4b9922067185cc1ee7ac1464621d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/ebpf.plugin/ebpf_mdflush.c"}, "region": {"startLine": 179}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69732, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4f1007332a6ed7ad9690bf37df1f648ba2e213a728a42fe0c2607222fc2dc0d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/collectors/ebpf.plugin/ebpf_filesystem.c", "duplicate_line": 808, "correlation_key": "fp|f4f1007332a6ed7ad9690bf37df1f648ba2e213a728a42fe0c2607222fc2dc0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/ebpf.plugin/ebpf_hardirq.c"}, "region": {"startLine": 375}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69731, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11d2e4576dbbaacea5fc29d49639c5260469bcb9915cb6b59fa26378b7eddb44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/aclk/https_client.c", "duplicate_line": 414, "correlation_key": "fp|11d2e4576dbbaacea5fc29d49639c5260469bcb9915cb6b59fa26378b7eddb44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/aclk/mqtt_websockets/mqtt_wss_client.c"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 69730, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e49e7dbd10960c7ede6528cac8b83feab01a84b414f2200914a3c6a1e396692c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "integrations/gen_doc_secrets_page.py", "duplicate_line": 248, "correlation_key": "fp|e49e7dbd10960c7ede6528cac8b83feab01a84b414f2200914a3c6a1e396692c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/gen_doc_service_discovery_page.py"}, "region": {"startLine": 291}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 69727, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": ["AGENTS.md", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AGENTS.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 69711, "scanner": "repobility-threat-engine", "fingerprint": "604afeab9984e8e1fd3884b47b1bed8f6898b9d0d27aec53ef605adb9c2ee630", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"_record_\"+rtypeName+\"_query_time\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|604afeab9984e8e1fd3884b47b1bed8f6898b9d0d27aec53ef605adb9c2ee630"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/go.d/collector/dnsquery/collect.go"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 69710, "scanner": "repobility-threat-engine", "fingerprint": "c4782dab49eddb472774e8be3816703a308f86f0e525f62d51cc8b393188d4bc", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"health_check_\"+id+\"_passing_status\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c4782dab49eddb472774e8be3816703a308f86f0e525f62d51cc8b393188d4bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/go.d/collector/consul/collect_checks.go"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 69709, "scanner": "repobility-threat-engine", "fingerprint": "d2d81e65c654f04f2b3a3d91af82dd0c942da43cb776feff56ce0f4c9b965e3a", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"SubNetwork: \" + cidr + \", Nodeids:[\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d2d81e65c654f04f2b3a3d91af82dd0c942da43cb776feff56ce0f4c9b965e3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/pkg/l2topology/node_topology_router.go"}, "region": {"startLine": 241}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 69707, "scanner": "repobility-threat-engine", "fingerprint": "ae4b30af3423ee7ea1686dc634255b5660ce1105b65e1ababc5b43bf47d7cf75", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Unsetenv(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae4b30af3423ee7ea1686dc634255b5660ce1105b65e1ababc5b43bf47d7cf75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/cmd/scriptsdplugin/main.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 69706, "scanner": "repobility-threat-engine", "fingerprint": "306216b05d024fc65ef69f4201eadf6ddd7386640fa41f2af9627716f21045f6", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Unsetenv(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|306216b05d024fc65ef69f4201eadf6ddd7386640fa41f2af9627716f21045f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/cmd/ibmdplugin/main.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 69705, "scanner": "repobility-threat-engine", "fingerprint": "2b68565100b78938529e3cc972e1c236f706ff849e1e1fead94a289c21b6c0d9", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = os.Unsetenv(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2b68565100b78938529e3cc972e1c236f706ff849e1e1fead94a289c21b6c0d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/cmd/godplugin/main.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 69670, "scanner": "repobility-threat-engine", "fingerprint": "b35ff219823195db81541f33132af10e5f6b94458a61dd7ca9131aadadf2dbb0", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.access(binary_name, os.X_OK):\n            return binary_name\n    return None\n\n\ndef read_last_line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b35ff219823195db81541f33132af10e5f6b94458a61dd7ca9131aadadf2dbb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/bases/collection.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, except=1, for=1, if=2, nested_bonus=3."}, "properties": {"repobilityId": 69636, "scanner": "repobility-threat-engine", "fingerprint": "fa1813818c455d8adcf8fdbc2eb60c9f66fe61bb7a9712e9cc4b6ff6cd8a422e", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 2, "for": 1, "except": 1, "continue": 2, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|fa1813818c455d8adcf8fdbc2eb60c9f66fe61bb7a9712e9cc4b6ff6cd8a422e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/normalize-go-test-json.py"}, "region": {"startLine": 24}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `cleanup_stable_repo` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=4, nested_bonus=6."}, "properties": {"repobilityId": 69635, "scanner": "repobility-threat-engine", "fingerprint": "dfb871792e89072ece9da2588d1662da441b77eb891c52c01beeb68f271882ce", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "cleanup_stable_repo", "breakdown": {"for": 4, "nested_bonus": 6}, "complexity": 10, "correlation_key": "fp|dfb871792e89072ece9da2588d1662da441b77eb891c52c01beeb68f271882ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/netdata-pkgcloud-cleanup.py"}, "region": {"startLine": 128}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `mssql` image is selected through a build variable"}, "properties": {"repobilityId": 69775, "scanner": "repobility-docker", "fingerprint": "ea51e75feda0cc318ac2797177dd3f2b10b09a04914bfc826d87de26637adf87", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${MSSQL_IMAGE:-mcr.microsoft.com/mssql/server:2022-latest}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|ea51e75feda0cc318ac2797177dd3f2b10b09a04914bfc826d87de26637adf87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `mysql` image is selected through a build variable"}, "properties": {"repobilityId": 69771, "scanner": "repobility-docker", "fingerprint": "9ee2cd358c9590c7fa220e5b2ca25f593b1414a2dcea9a3c49c5139b2dcc7bfe", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${MYSQL_IMAGE:-mysql:8.0}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9ee2cd358c9590c7fa220e5b2ca25f593b1414a2dcea9a3c49c5139b2dcc7bfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Compose service `postgres` image is selected through a build variable"}, "properties": {"repobilityId": 69767, "scanner": "repobility-docker", "fingerprint": "e3d0b0740966f697fa05f01e2f19330e8e5907dd356b2e9244c7b05b5ea447f2", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${POSTGRES_IMAGE:-postgres:16}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|e3d0b0740966f697fa05f01e2f19330e8e5907dd356b2e9244c7b05b5ea447f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 69756, "scanner": "repobility-docker", "fingerprint": "101bc100da72357adad1e1defd23f44e953236f9f73a2386ced8e77e92de81dd", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "${BASE}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|101bc100da72357adad1e1defd23f44e953236f9f73a2386ced8e77e92de81dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/dockerfiles/Dockerfile.build_test"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 16 more): Same pattern found in 16 additional files. Review if needed."}, "properties": {"repobilityId": 69720, "scanner": "repobility-threat-engine", "fingerprint": "c2d819b0c2f1c7bd5c6a48f2f8324a2afe576bb663efe2c9e049de3ed01e697f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 16 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c2d819b0c2f1c7bd5c6a48f2f8324a2afe576bb663efe2c9e049de3ed01e697f", "aggregated_count": 16}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 69716, "scanner": "repobility-threat-engine", "fingerprint": "60f1099900644ea0a750edabf3aa608ace6a651ec3a6318251de94e256df369d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|60f1099900644ea0a750edabf3aa608ace6a651ec3a6318251de94e256df369d", "aggregated_count": 25}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 69715, "scanner": "repobility-threat-engine", "fingerprint": "e08a78ddcbf3fc2d1c75c15f3a27453b7c80d93199a738dd0989f84706c9d9ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e08a78ddcbf3fc2d1c75c15f3a27453b7c80d93199a738dd0989f84706c9d9ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/pkg/metrix/gauge.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 69714, "scanner": "repobility-threat-engine", "fingerprint": "519cb02377c26e2108c89297a7116ec20605cd61ba1c57e4555aa03760b0a4da", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|519cb02377c26e2108c89297a7116ec20605cd61ba1c57e4555aa03760b0a4da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/pkg/metrix/counter.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 69713, "scanner": "repobility-threat-engine", "fingerprint": "764efc63dcf088d7fa4516d879e1c6c2c4d1115d66a74082ce31bf04b49f0aaf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|764efc63dcf088d7fa4516d879e1c6c2c4d1115d66a74082ce31bf04b49f0aaf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/pkg/matcher/matcher.go"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 69712, "scanner": "repobility-threat-engine", "fingerprint": "097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|097d27b2deaca55861bf7fc2fde9b3c1ab45a5a98b541bd572ee8991d2ed26b1"}}}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 53 more): Same pattern found in 53 additional files. Review if needed."}, "properties": {"repobilityId": 69708, "scanner": "repobility-threat-engine", "fingerprint": "f81ab761642a602106a42f90048a7e1dd19284b8a2e204d093db7cf92dfa07dc", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 53 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 53 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f81ab761642a602106a42f90048a7e1dd19284b8a2e204d093db7cf92dfa07dc"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 31 more): Same pattern found in 31 additional files. Review if needed."}, "properties": {"repobilityId": 69704, "scanner": "repobility-threat-engine", "fingerprint": "d83ca282e8477695062a61847afdd66fb9e72e56b8dfcfaaef3fecad8c44d4d8", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 31 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d83ca282e8477695062a61847afdd66fb9e72e56b8dfcfaaef3fecad8c44d4d8", "aggregated_count": 31}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 69703, "scanner": "repobility-threat-engine", "fingerprint": "c7efb257e17ee80d5728e737537c303175f8ad91f8c57bef9e08476536f848ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c7efb257e17ee80d5728e737537c303175f8ad91f8c57bef9e08476536f848ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/logger/context.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 69702, "scanner": "repobility-threat-engine", "fingerprint": "2d9be4433f1db43719220bbc293f43f2f1b735793d90840895cab8b1db69c1de", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2d9be4433f1db43719220bbc293f43f2f1b735793d90840895cab8b1db69c1de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/cmd/internal/agenthost/host.go"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 69701, "scanner": "repobility-threat-engine", "fingerprint": "51fb321e75cb4d2f997db69cefcdb1dfe1a5bd73e0090a601d48011c3cd640a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51fb321e75cb4d2f997db69cefcdb1dfe1a5bd73e0090a601d48011c3cd640a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/cmd/godplugin/main.go"}, "region": {"startLine": 199}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 69700, "scanner": "repobility-threat-engine", "fingerprint": "3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d94e880c2e8a0bb4b06b2e51a89f1e2b3c179247361f3b31060096e31f982c7", "aggregated_count": 3}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 69694, "scanner": "repobility-threat-engine", "fingerprint": "b1899ad9a25e479f08b044c714484673af97b97db31ba68b3b42a9328e60eab3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b1899ad9a25e479f08b044c714484673af97b97db31ba68b3b42a9328e60eab3", "aggregated_count": 5}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 69693, "scanner": "repobility-threat-engine", "fingerprint": "b59b9ef43bc18195612426b1ffdf50325cff5c089f73e5e223caaf886d7c8b14", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b59b9ef43bc18195612426b1ffdf50325cff5c089f73e5e223caaf886d7c8b14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/netflow-plugin/src/ingest/service.rs"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 69692, "scanner": "repobility-threat-engine", "fingerprint": "c502eac9ea18ee1863cd7d38114111f426ac2c9ac9f778cbff00c7e1d8718caa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c502eac9ea18ee1863cd7d38114111f426ac2c9ac9f778cbff00c7e1d8718caa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/netflow-plugin/src/charts/tests.rs"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 69691, "scanner": "repobility-threat-engine", "fingerprint": "b429ef8b01f19edffd4e9d2bc731843c40654ebf8420740e2e5957772738176e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b429ef8b01f19edffd4e9d2bc731843c40654ebf8420740e2e5957772738176e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/netdata-plugin/schema/src/lib.rs"}, "region": {"startLine": 158}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 69690, "scanner": "repobility-threat-engine", "fingerprint": "7bcded00ad833ba73bcf4b2215be5d4e118edecf98ea1a94a390c7d651375790", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7bcded00ad833ba73bcf4b2215be5d4e118edecf98ea1a94a390c7d651375790", "aggregated_count": 5}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 69689, "scanner": "repobility-threat-engine", "fingerprint": "55c3234191073a81b6a9a050cd1ed5fb688ed562d5910cd832e5d3768b4561c2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55c3234191073a81b6a9a050cd1ed5fb688ed562d5910cd832e5d3768b4561c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/field_map.rs"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 69688, "scanner": "repobility-threat-engine", "fingerprint": "840cae8131bef76553665f53679e9bd7600e4b70f424508386f8f0ba264412fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|840cae8131bef76553665f53679e9bd7600e4b70f424508386f8f0ba264412fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/jf/window_manager/src/lib.rs"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 69687, "scanner": "repobility-threat-engine", "fingerprint": "d3f847bcf88a9f531790e0cf57ca0e9e2d20c4e82fca01622f4eac83ab196538", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d3f847bcf88a9f531790e0cf57ca0e9e2d20c4e82fca01622f4eac83ab196538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/jf/sigbus/src/lib.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 69686, "scanner": "repobility-threat-engine", "fingerprint": "f4fd66af13ab3aca7250950a0f6f856e4e35a27fc2ef0236da12089b67552c88", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f4fd66af13ab3aca7250950a0f6f856e4e35a27fc2ef0236da12089b67552c88", "aggregated_count": 18}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 69685, "scanner": "repobility-threat-engine", "fingerprint": "77c58ef7631c26aa7aa021902c9af953d07681e204c7d89241553523f59886e9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|77c58ef7631c26aa7aa021902c9af953d07681e204c7d89241553523f59886e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/netdata-otel/otel-plugin/src/lib.rs"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 69684, "scanner": "repobility-threat-engine", "fingerprint": "838e67d9a0bb812b395809b74555fca9c29fe6269d6fd0381c078ed9f08efbd6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|838e67d9a0bb812b395809b74555fca9c29fe6269d6fd0381c078ed9f08efbd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-index/src/bitmap.rs"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 69683, "scanner": "repobility-threat-engine", "fingerprint": "b9a041589679f15660c0dad6922d7b474d1f89ec48c0275f2a55e686f059aeea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b9a041589679f15660c0dad6922d7b474d1f89ec48c0275f2a55e686f059aeea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/jf/journal_reader_ffi/build.rs"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 69680, "scanner": "repobility-threat-engine", "fingerprint": "eabcb24751aa56e9deb689c3613859b2c21c07e4c589eda5e4f90d522b58c186", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eabcb24751aa56e9deb689c3613859b2c21c07e4c589eda5e4f90d522b58c186", "aggregated_count": 29}}}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 69674, "scanner": "repobility-threat-engine", "fingerprint": "47cd768b6b3da421787a4d2fd1a06722ae3b6c7a82576634cdff0e5ffa095647", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|47cd768b6b3da421787a4d2fd1a06722ae3b6c7a82576634cdff0e5ffa095647", "aggregated_count": 3}}}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 69673, "scanner": "repobility-threat-engine", "fingerprint": "1cf82f8ac6dfbf7a42caefccba4230e3a6cd4b7f67353e6468c3f863ad32b9d9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1cf82f8ac6dfbf7a42caefccba4230e3a6cd4b7f67353e6468c3f863ad32b9d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/pyyaml3/events.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 69672, "scanner": "repobility-threat-engine", "fingerprint": "b978c081142a95f01c7d7b2341295890fda49dd3d2cac3dba43182952b65b415", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b978c081142a95f01c7d7b2341295890fda49dd3d2cac3dba43182952b65b415"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/pyyaml3/error.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 69671, "scanner": "repobility-threat-engine", "fingerprint": "d219e478bfe0a97082462bfe02af6050f823fa0a8c405a5a5f339b8e334bd33d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d219e478bfe0a97082462bfe02af6050f823fa0a8c405a5a5f339b8e334bd33d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/pyyaml3/composer.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 69669, "scanner": "repobility-threat-engine", "fingerprint": "c0243c95a960df79d347d546f02c8d708977edbd4a97478c529e24c680ef3789", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c0243c95a960df79d347d546f02c8d708977edbd4a97478c529e24c680ef3789", "aggregated_count": 4}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 69662, "scanner": "repobility-threat-engine", "fingerprint": "f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3554231f2d32a33a651c3b39559f3d21263dabefeb5c7ba90040f806b6ba0ca"}}}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 69655, "scanner": "repobility-threat-engine", "fingerprint": "008cf5cb4a6d001a21b9b079a6ea304b3e2a8e1a8ed47e19e1e699385013451b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|008cf5cb4a6d001a21b9b079a6ea304b3e2a8e1a8ed47e19e1e699385013451b", "aggregated_count": 1}}}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 69654, "scanner": "repobility-threat-engine", "fingerprint": "bf7f13ec751e02b01a83f02a886de4501e2cba688b88eccbec647bfc7c3b3a6c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bf7f13ec751e02b01a83f02a886de4501e2cba688b88eccbec647bfc7c3b3a6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/apps.plugin/busy_threads.c"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 69653, "scanner": "repobility-threat-engine", "fingerprint": "4129b9c82d1db7b0501ab9c2eff35d317ba114399bd4743ecaa6d33f7f1763d9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4129b9c82d1db7b0501ab9c2eff35d317ba114399bd4743ecaa6d33f7f1763d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/cli/cli.c"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED075", "level": "none", "message": {"text": "[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL."}, "properties": {"repobilityId": 69652, "scanner": "repobility-threat-engine", "fingerprint": "75f290257459a42fbc78f27bad8e835a7948d180180c3206f7a4006a941af403", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-malloc-no-check", "owasp": null, "cwe_ids": ["CWE-690"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348076+00:00", "triaged_in_corpus": 12, "observations_count": 11735, "ai_coder_pattern_id": 131}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75f290257459a42fbc78f27bad8e835a7948d180180c3206f7a4006a941af403"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/claim/main.c"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED013", "level": "none", "message": {"text": "[MINED013] Password In Url (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 69650, "scanner": "repobility-threat-engine", "fingerprint": "085040b8c3d2e5c3560ba1137cf773c78596fa51f6271b6214b5fee56cac4add", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|085040b8c3d2e5c3560ba1137cf773c78596fa51f6271b6214b5fee56cac4add", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 69645, "scanner": "repobility-threat-engine", "fingerprint": "facf796ae6e2aa7466283972d237a4863312611f907ddf04cc3a6f3da2ca0582", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|facf796ae6e2aa7466283972d237a4863312611f907ddf04cc3a6f3da2ca0582", "aggregated_count": 15}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 69644, "scanner": "repobility-threat-engine", "fingerprint": "022d1ff656b82f2fbcb6d282b2364c491b4ef7be7ae8593a899f6ce3b6c4d58f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|022d1ff656b82f2fbcb6d282b2364c491b4ef7be7ae8593a899f6ce3b6c4d58f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/bases/FrameworkServices/SimpleService.py"}, "region": {"startLine": 259}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 69643, "scanner": "repobility-threat-engine", "fingerprint": "8bdfa27e5fb258cdaff1528342ec9f4d1d7cbc2543920c0811f2a5b821a55f46", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8bdfa27e5fb258cdaff1528342ec9f4d1d7cbc2543920c0811f2a5b821a55f46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packaging/dag/main.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 69642, "scanner": "repobility-threat-engine", "fingerprint": "e62b9ff817c7a00acf33f8a2ef6709a2791e1b76b73f6d0696d985afdda6dd15", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e62b9ff817c7a00acf33f8a2ef6709a2791e1b76b73f6d0696d985afdda6dd15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/_common.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 69641, "scanner": "repobility-threat-engine", "fingerprint": "eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "aggregated_count": 8}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 69640, "scanner": "repobility-threat-engine", "fingerprint": "94f2b133a7259ee1ed6ea4ec1a6dbe9a0b63baeaab08ff47d90313fd5b363193", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|94f2b133a7259ee1ed6ea4ec1a6dbe9a0b63baeaab08ff47d90313fd5b363193"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packaging/installer/dependencies/freebsd.sh"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 69639, "scanner": "repobility-threat-engine", "fingerprint": "87f4359c0653533f8ec84d65dd2ef82a97748c6b260f527b8af4a55a5b4ded5d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87f4359c0653533f8ec84d65dd2ef82a97748c6b260f527b8af4a55a5b4ded5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packaging/installer/dependencies/centos.sh"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 69638, "scanner": "repobility-threat-engine", "fingerprint": "afefff316c5f928cfe259d39fc6d4f0fd2c2d25efc382d3f46ae7221be1913b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|afefff316c5f928cfe259d39fc6d4f0fd2c2d25efc382d3f46ae7221be1913b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/diagrams/build.sh"}, "region": {"startLine": 9}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 69637, "scanner": "repobility-threat-engine", "fingerprint": "609d442b6ee8f7794590b53c136dd2382ce30eb7f3f4ac25005f93728dca1833", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "get_all_packages", "breakdown": {"if": 3, "for": 1, "else": 2, "break": 2, "while": 1, "nested_bonus": 10}, "aggregated": true, "complexity": 19, "correlation_key": "fp|609d442b6ee8f7794590b53c136dd2382ce30eb7f3f4ac25005f93728dca1833", "aggregated_count": 42}}}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 69633, "scanner": "repobility-threat-engine", "fingerprint": "ba3e69d1420d991e06f6ac1d7b5efd6bf66a38ffcb3b3557d04ca5389b8806ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba3e69d1420d991e06f6ac1d7b5efd6bf66a38ffcb3b3557d04ca5389b8806ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/netdata-pkgcloud-cleanup.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 69632, "scanner": "repobility-threat-engine", "fingerprint": "521c7175c7e0f0f226316ceddac7c5fcbc995e02ff9e502f9c5eb3c3b3eb3321", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|521c7175c7e0f0f226316ceddac7c5fcbc995e02ff9e502f9c5eb3c3b3eb3321"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/modules/version_manipulation.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 69631, "scanner": "repobility-threat-engine", "fingerprint": "eeae297533f9b073a05217b33c2f466eb64932939db844d9cc5988856e4a7e0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eeae297533f9b073a05217b33c2f466eb64932939db844d9cc5988856e4a7e0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/netdata-pkgcloud-cleanup.py"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 69630, "scanner": "repobility-threat-engine", "fingerprint": "8e23d31286e65f9896d2be9295802b09fe832ba1e1bbf8957cf8abbb713b76ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e23d31286e65f9896d2be9295802b09fe832ba1e1bbf8957cf8abbb713b76ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/modules/version_manipulation.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 69627, "scanner": "repobility-threat-engine", "fingerprint": "a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a0769f34321ccb4a2408866410ff258332c2e3d0c176eda236c0efe5490d0026"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 69623, "scanner": "repobility-threat-engine", "fingerprint": "9881d2845aeef205704678b0bcd619dfdba1aa00ef58744196d96a66a70dee22", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "print(f\"FATAL: 'PKGCLOUD_TOKEN' environment variable is not set!\", file=sys.stderr)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|. token|17|print f fatal: pkgcloud_token environment variable is not set file sys.stderr"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/netdata-pkgcloud-cleanup.py"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 69622, "scanner": "repobility-threat-engine", "fingerprint": "ec73ab7144f8279b07685530d4548a332013b94d9f7d73f0d56833e70f12ce2a", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "print(\"Token is not defined or empty, continuing with limitation on requests per sec towards Github", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|1|print token is not defined or empty continuing with limitation on requests per sec towards github"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/modules/version_manipulation.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED040", "level": "none", "message": {"text": "[MINED040] Python Yaml Load Unsafe (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 69621, "scanner": "repobility-threat-engine", "fingerprint": "4f00028d3552e33c5733891352726380cc3977041bed636d806e6ff1de2658c0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "python-yaml-load-unsafe", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347991+00:00", "triaged_in_corpus": 15, "observations_count": 1487, "ai_coder_pattern_id": 120}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4f00028d3552e33c5733891352726380cc3977041bed636d806e6ff1de2658c0", "aggregated_count": 6}}}, {"ruleId": "MINED018", "level": "none", "message": {"text": "[MINED018] Unsafe Deserialization Pickle (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 69617, "scanner": "repobility-threat-engine", "fingerprint": "4adcc57bababc0bb0e40375c8f8d68eb37c4a693811fef53a1bf472d9bbf03eb", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|4adcc57bababc0bb0e40375c8f8d68eb37c4a693811fef53a1bf472d9bbf03eb", "aggregated_count": 6}}}, {"ruleId": "SEC116", "level": "none", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 69613, "scanner": "repobility-threat-engine", "fingerprint": "ffbca6adf33a066691f5fb3acc62ed681f51b367804b42ce1125b16944e865b0", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ffbca6adf33a066691f5fb3acc62ed681f51b367804b42ce1125b16944e865b0"}}}, {"ruleId": "SEC079", "level": "none", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 69609, "scanner": "repobility-threat-engine", "fingerprint": "1872767d40d8145759d27fa0a99b590580fe8b5b1ca2bbc040bef8b6caaf3ba6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1872767d40d8145759d27fa0a99b590580fe8b5b1ca2bbc040bef8b6caaf3ba6"}}}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 69605, "scanner": "repobility-threat-engine", "fingerprint": "3cfa210065515c4b1230d1d5fb8818f08942842fc8b8c132fc9489b57ab6d137", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3cfa210065515c4b1230d1d5fb8818f08942842fc8b8c132fc9489b57ab6d137"}}}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 69599, "scanner": "repobility-threat-engine", "fingerprint": "ba10f3c6f7d3c5eb20b50027380c8766c285a57eb15ab22f329dda0e4fdcc3ad", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba10f3c6f7d3c5eb20b50027380c8766c285a57eb15ab22f329dda0e4fdcc3ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/sow/scan-sensitive.sh"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `src/go/plugin/ibm.d/protocols/websphere/jmx/websphere_jmx_helper.jar` committed in source repo: `src/go/plugin/ibm.d/protocols/websphere/jmx/websphere_jmx_helper.jar` is a .jar binary (7,936 bytes) committed to a repo that otherwise has 4462 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 69956, "scanner": "repobility-supply-chain", "fingerprint": "b1bd0e2f60975952622de0d839c915e6aff01b93be6facbbc9552bad9d913450", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1bd0e2f60975952622de0d839c915e6aff01b93be6facbbc9552bad9d913450"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/ibm.d/protocols/websphere/jmx/websphere_jmx_helper.jar"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED128", "level": "error", "message": {"text": "[MINED128] go.mod replaces `github.com/gosnmp/gosnmp` \u2014 redirects to fork `github.com/ilyam8/gosnmp`: `replace github.com/gosnmp/gosnmp => github.com/ilyam8/gosnmp` overrides the canonical dependency with a different source (redirects to fork `github.com/ilyam8/gosnmp`). Local-path replaces are fine for monorepos but in published modules they can hide malicious forks from anyone who only audits the require lines."}, "properties": {"repobilityId": 69955, "scanner": "repobility-supply-chain", "fingerprint": "bf6617c2e9448f0f5e614cf239d34ae09e6d8e29aa6a993ec576bacf26ee80df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gomod-replace-local", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["go"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bf6617c2e9448f0f5e614cf239d34ae09e6d8e29aa6a993ec576bacf26ee80df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/go.mod"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:12` not pinned by digest: `FROM debian:12` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 69954, "scanner": "repobility-supply-chain", "fingerprint": "d1aaf88bb16098842ed6e43d9cdabb4cd0080c605889948408083112c26b82c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1aaf88bb16098842ed6e43d9cdabb4cd0080c605889948408083112c26b82c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/dockerfiles/Dockerfile.clang"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `httpd:2.4` unpinned: `container/services image: httpd:2.4` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 69953, "scanner": "repobility-supply-chain", "fingerprint": "b36db655cc85ec302d6e52fec1b78a5ae8d0c0444df9acf96852212168fe77c9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b36db655cc85ec302d6e52fec1b78a5ae8d0c0444df9acf96852212168fe77c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 763}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `httpd:2.4` unpinned: `container/services image: httpd:2.4` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 69952, "scanner": "repobility-supply-chain", "fingerprint": "cb796889635fe2e299a35b113152a15950f1993363515f9f3cbccfcce483a233", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb796889635fe2e299a35b113152a15950f1993363515f9f3cbccfcce483a233"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 693}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `httpd:2.4` unpinned: `container/services image: httpd:2.4` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 69951, "scanner": "repobility-supply-chain", "fingerprint": "784f86cb24725a5eccca4681c54ae2f3d87afb62cfea7d1ef395c15a712b106d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|784f86cb24725a5eccca4681c54ae2f3d87afb62cfea7d1ef395c15a712b106d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 623}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `shimataro/ssh-key-action` pinned to mutable ref `@v2`: `uses: shimataro/ssh-key-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69928, "scanner": "repobility-supply-chain", "fingerprint": "0b6700de04cf9cf6d3e68a0f476d26186843d8dc68a5d422c24d6ef5a7c9a301", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b6700de04cf9cf6d3e68a0f476d26186843d8dc68a5d422c24d6ef5a7c9a301"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/monitor-releases.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69927, "scanner": "repobility-supply-chain", "fingerprint": "4ba405fcfccd0d2df1b90f299e4e00c44678a9eb6354f953d00d9ef4551f703f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ba405fcfccd0d2df1b90f299e4e00c44678a9eb6354f953d00d9ef4551f703f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/monitor-releases.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69926, "scanner": "repobility-supply-chain", "fingerprint": "d188f0a1bb09ff8c77cb81815a4ea993ba316b9d3ae97c9a0d85bfd6708a66d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d188f0a1bb09ff8c77cb81815a4ea993ba316b9d3ae97c9a0d85bfd6708a66d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/monitor-releases.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69925, "scanner": "repobility-supply-chain", "fingerprint": "0e0a8949f93937a224c6ddcd526f6f52d077d25c5338f656a0a3fea33950021e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0e0a8949f93937a224c6ddcd526f6f52d077d25c5338f656a0a3fea33950021e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 204}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v4`: `uses: github/codeql-action/autobuild@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69924, "scanner": "repobility-supply-chain", "fingerprint": "591b204d282958d0ce182d49b49297fff878184c145e1b6d3fea828e6a838423", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|591b204d282958d0ce182d49b49297fff878184c145e1b6d3fea828e6a838423"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69923, "scanner": "repobility-supply-chain", "fingerprint": "a8f0aa6879a3bdab3abe6efb909b5ec51aeea28498b005cb9f0a02f063e9e822", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8f0aa6879a3bdab3abe6efb909b5ec51aeea28498b005cb9f0a02f063e9e822"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69922, "scanner": "repobility-supply-chain", "fingerprint": "fcdc2cb9b40832273424d540bf16d35003ce3f32425641f2759adfd5012b2cea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fcdc2cb9b40832273424d540bf16d35003ce3f32425641f2759adfd5012b2cea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69921, "scanner": "repobility-supply-chain", "fingerprint": "16df5cac81066f06e050fa276b8a7254920ca9ab4854c001e5227b28d43db76a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16df5cac81066f06e050fa276b8a7254920ca9ab4854c001e5227b28d43db76a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v4`: `uses: github/codeql-action/autobuild@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69920, "scanner": "repobility-supply-chain", "fingerprint": "b845166b7cce386c3e7659162479ce1422111b254b2c8b703dcf05d444af690d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b845166b7cce386c3e7659162479ce1422111b254b2c8b703dcf05d444af690d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69919, "scanner": "repobility-supply-chain", "fingerprint": "a89f856349926891cf247aeda806b24fc584acc8cc42ed011cc0b3b0bd0560b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a89f856349926891cf247aeda806b24fc584acc8cc42ed011cc0b3b0bd0560b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69918, "scanner": "repobility-supply-chain", "fingerprint": "25a49a38b076515a3bd523da70ffc3bba02084c260eb032f14070919026d76ff", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25a49a38b076515a3bd523da70ffc3bba02084c260eb032f14070919026d76ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69917, "scanner": "repobility-supply-chain", "fingerprint": "48b27d8e8396530ef9fc232e8a60b3d569caecfb296a078b94ad6d7dbd1a509e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48b27d8e8396530ef9fc232e8a60b3d569caecfb296a078b94ad6d7dbd1a509e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69916, "scanner": "repobility-supply-chain", "fingerprint": "660862ccaefd78650586207dcccd21f3d05086b8ff259c9c9cb6c1ca3d4427c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|660862ccaefd78650586207dcccd21f3d05086b8ff259c9c9cb6c1ca3d4427c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69915, "scanner": "repobility-supply-chain", "fingerprint": "090f195601fc1fd1873b90b16d451cf6b67c58b6494ecbf45719aa1a9a307cf8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|090f195601fc1fd1873b90b16d451cf6b67c58b6494ecbf45719aa1a9a307cf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69914, "scanner": "repobility-supply-chain", "fingerprint": "456a45e5a06729615ac2dabd396e697d0562f3fd75ebbf75a4374786ec3c3507", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|456a45e5a06729615ac2dabd396e697d0562f3fd75ebbf75a4374786ec3c3507"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 121}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69913, "scanner": "repobility-supply-chain", "fingerprint": "f1dcea56a4f42f0c4bfd69fb2ae765b3735a4fa794a12471f3b25d03d452072b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1dcea56a4f42f0c4bfd69fb2ae765b3735a4fa794a12471f3b25d03d452072b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69912, "scanner": "repobility-supply-chain", "fingerprint": "72db82eddb5b50c6ba98dab794c0a412f55906972cec76094facfe7f3a8b8709", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72db82eddb5b50c6ba98dab794c0a412f55906972cec76094facfe7f3a8b8709"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69911, "scanner": "repobility-supply-chain", "fingerprint": "78b74c043cd163668f9cd148d3cb83aac75fbfc082491dad4a96c0a31b81a607", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|78b74c043cd163668f9cd148d3cb83aac75fbfc082491dad4a96c0a31b81a607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rtCamp/action-slack-notify` pinned to mutable ref `@v2`: `uses: rtCamp/action-slack-notify@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69910, "scanner": "repobility-supply-chain", "fingerprint": "9c0695cf8a62acefbbd207386123965e951cbd57af45e2906b7428eda8fd711b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c0695cf8a62acefbbd207386123965e951cbd57af45e2906b7428eda8fd711b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/platform-eol-check.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `imjohnbo/issue-bot` pinned to mutable ref `@v3`: `uses: imjohnbo/issue-bot@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69909, "scanner": "repobility-supply-chain", "fingerprint": "e55cf0788a652c8fcf5e69280a06deb7d7ac6a9b6980eb972451d3e9439c6b78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e55cf0788a652c8fcf5e69280a06deb7d7ac6a9b6980eb972451d3e9439c6b78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/platform-eol-check.yml"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69908, "scanner": "repobility-supply-chain", "fingerprint": "db08d4b8aeb16a40f1176ff94bd64a2f0ccc564be8d7b3e2b5ce720b340974df", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|db08d4b8aeb16a40f1176ff94bd64a2f0ccc564be8d7b3e2b5ce720b340974df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/platform-eol-check.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rtCamp/action-slack-notify` pinned to mutable ref `@v2`: `uses: rtCamp/action-slack-notify@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69907, "scanner": "repobility-supply-chain", "fingerprint": "facc7095d8a187ad434a3356ceafa6175dbd3d064584ce09a779e0cba0903762", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|facc7095d8a187ad434a3356ceafa6175dbd3d064584ce09a779e0cba0903762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/platform-eol-check.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69906, "scanner": "repobility-supply-chain", "fingerprint": "4975b82060f274b3fa426eadb34ae31138c7f416f37d34c6968a3120e24a0273", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4975b82060f274b3fa426eadb34ae31138c7f416f37d34c6968a3120e24a0273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/platform-eol-check.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rtCamp/action-slack-notify` pinned to mutable ref `@v2`: `uses: rtCamp/action-slack-notify@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69902, "scanner": "repobility-supply-chain", "fingerprint": "3aa3154bb4a976b236b0bae8926be46d1e2ade07f44e8a6603dfffbadf869868", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3aa3154bb4a976b236b0bae8926be46d1e2ade07f44e8a6603dfffbadf869868"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverity.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 69901, "scanner": "repobility-supply-chain", "fingerprint": "e225a4d1d9d1bdd38fa289cbba7b98619fe166621c471b387121020eb47ff7f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e225a4d1d9d1bdd38fa289cbba7b98619fe166621c471b387121020eb47ff7f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverity.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `netdata/base:v3` not pinned by digest: `FROM netdata/base:v3` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 69900, "scanner": "repobility-supply-chain", "fingerprint": "59922d7c6a197e4e864156df8721a2294427aaf40dc87109fe7eb29763f016a5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59922d7c6a197e4e864156df8721a2294427aaf40dc87109fe7eb29763f016a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packaging/docker/Dockerfile"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `netdata/builder:v3` not pinned by digest: `FROM netdata/builder:v3` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 69899, "scanner": "repobility-supply-chain", "fingerprint": "475fcaccff18f393642757470097949397906cc7821b3c51e125d249b2f3b6d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|475fcaccff18f393642757470097949397906cc7821b3c51e125d249b2f3b6d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packaging/docker/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `netdata/base:v3` not pinned by digest: `FROM netdata/base:v3` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 69898, "scanner": "repobility-supply-chain", "fingerprint": "761708d6dd5d04891082fcd2ea73334c23163b07897344e412aeead648db005b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|761708d6dd5d04891082fcd2ea73334c23163b07897344e412aeead648db005b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `netdata/builder:v3` not pinned by digest: `FROM netdata/builder:v3` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 69897, "scanner": "repobility-supply-chain", "fingerprint": "dbc18094a78993ad4626b6608854c35e5b2e07c577eb8cd3763b46b12f42b235", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbc18094a78993ad4626b6608854c35e5b2e07c577eb8cd3763b46b12f42b235"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_rejects_item` used but never assigned in __init__: Method `test_view_switch_rejects_nested_view_switch` of class `TaxonomySchemaTest` reads `self.assert_schema_rejects_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69869, "scanner": "repobility-ast-engine", "fingerprint": "77e39762fbb059f26c2ee7e850f89addf09e6413ac3fab4e1876677363350956", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|77e39762fbb059f26c2ee7e850f89addf09e6413ac3fab4e1876677363350956"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 197}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_rejects_item` used but never assigned in __init__: Method `test_view_switch_rejects_flatten_branch` of class `TaxonomySchemaTest` reads `self.assert_schema_rejects_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69868, "scanner": "repobility-ast-engine", "fingerprint": "bb065568e44e91e6b11c798d4bad98b8d49900d8285fefe48fa27f5af90dafaa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bb065568e44e91e6b11c798d4bad98b8d49900d8285fefe48fa27f5af90dafaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_rejects_item` used but never assigned in __init__: Method `test_view_switch_rejects_string_branch` of class `TaxonomySchemaTest` reads `self.assert_schema_rejects_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69867, "scanner": "repobility-ast-engine", "fingerprint": "06887319705389665b6837ffab7f4b14a715c4e0f066eb4038a4fae16f2b561f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|06887319705389665b6837ffab7f4b14a715c4e0f066eb4038a4fae16f2b561f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_rejects_item` used but never assigned in __init__: Method `test_first_available_rejects_string_shorthand` of class `TaxonomySchemaTest` reads `self.assert_schema_rejects_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69866, "scanner": "repobility-ast-engine", "fingerprint": "13a9daa21315a927dfdb6028269fdb9e2c48bde0d06a145bc8f5804db6f0fde7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|13a9daa21315a927dfdb6028269fdb9e2c48bde0d06a145bc8f5804db6f0fde7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_rejects_item` used but never assigned in __init__: Method `test_flatten_rejects_nested_flatten` of class `TaxonomySchemaTest` reads `self.assert_schema_rejects_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69865, "scanner": "repobility-ast-engine", "fingerprint": "ec1085d2f65e0c32766569f21b5f7b87ca64858c2d6060789030e4caacef6619", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec1085d2f65e0c32766569f21b5f7b87ca64858c2d6060789030e4caacef6619"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_rejects_item` used but never assigned in __init__: Method `test_grid_rejects_selector` of class `TaxonomySchemaTest` reads `self.assert_schema_rejects_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69864, "scanner": "repobility-ast-engine", "fingerprint": "a3212434e86228044c4fcdf234da49eb214694196450ba073e466604105fc30b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a3212434e86228044c4fcdf234da49eb214694196450ba073e466604105fc30b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_rejects_item` used but never assigned in __init__: Method `test_grid_rejects_owned_context` of class `TaxonomySchemaTest` reads `self.assert_schema_rejects_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69863, "scanner": "repobility-ast-engine", "fingerprint": "5103888c4d96ea77c2a369cd02b07e100bd7eb2bd9722d958f011df103b78a5c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5103888c4d96ea77c2a369cd02b07e100bd7eb2bd9722d958f011df103b78a5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_accepts_item` used but never assigned in __init__: Method `test_view_switch_is_accepted` of class `TaxonomySchemaTest` reads `self.assert_schema_accepts_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69862, "scanner": "repobility-ast-engine", "fingerprint": "d1864c7737bc3d59d4ca503adfef7200b8ec7c85217ee2d4b4fb5db962e18f7d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1864c7737bc3d59d4ca503adfef7200b8ec7c85217ee2d4b4fb5db962e18f7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_accepts_item` used but never assigned in __init__: Method `test_first_available_is_accepted` of class `TaxonomySchemaTest` reads `self.assert_schema_accepts_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69861, "scanner": "repobility-ast-engine", "fingerprint": "e56caa9528d6f4f573ded0791c89718b4247a3b408f12b58ae50e29dcf904bd1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e56caa9528d6f4f573ded0791c89718b4247a3b408f12b58ae50e29dcf904bd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_accepts_item` used but never assigned in __init__: Method `test_flatten_is_accepted` of class `TaxonomySchemaTest` reads `self.assert_schema_accepts_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69860, "scanner": "repobility-ast-engine", "fingerprint": "34bbc02732b24934ee1912f2aef98f6fd339a478fd9c1eece560c3952967cb9a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|34bbc02732b24934ee1912f2aef98f6fd339a478fd9c1eece560c3952967cb9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_accepts_item` used but never assigned in __init__: Method `test_group_is_accepted` of class `TaxonomySchemaTest` reads `self.assert_schema_accepts_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69859, "scanner": "repobility-ast-engine", "fingerprint": "f304ce3f397ea40b35311ed1f98200a8746e2de580a01b200917c41d6da9182e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f304ce3f397ea40b35311ed1f98200a8746e2de580a01b200917c41d6da9182e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assert_schema_accepts_item` used but never assigned in __init__: Method `test_explicit_owned_context_is_accepted` of class `TaxonomySchemaTest` reads `self.assert_schema_accepts_item`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69858, "scanner": "repobility-ast-engine", "fingerprint": "6771fb5405fe5e5816ccc3b30d937b57cd6f63ce213b94398ef695496a5ac94d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6771fb5405fe5e5816ccc3b30d937b57cd6f63ce213b94398ef695496a5ac94d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `assert_schema_rejects_item` of class `TaxonomySchemaTest` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69857, "scanner": "repobility-ast-engine", "fingerprint": "ef89944c1691e9cd1296390c681ee74d3780ca7de9836d7cc6095419d4df9207", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ef89944c1691e9cd1296390c681ee74d3780ca7de9836d7cc6095419d4df9207"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.valid_taxonomy` used but never assigned in __init__: Method `assert_schema_rejects_item` of class `TaxonomySchemaTest` reads `self.valid_taxonomy`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69856, "scanner": "repobility-ast-engine", "fingerprint": "a74b287cb0dc9581f226ac13b29c67f9d371823e4ab177ef9bdcd7657dea3250", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a74b287cb0dc9581f226ac13b29c67f9d371823e4ab177ef9bdcd7657dea3250"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `assert_schema_accepts_item` of class `TaxonomySchemaTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69855, "scanner": "repobility-ast-engine", "fingerprint": "9197395fed2868bb513349cf54ce6c34852dad37146fb1dfe45e647dc22cda2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9197395fed2868bb513349cf54ce6c34852dad37146fb1dfe45e647dc22cda2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.valid_taxonomy` used but never assigned in __init__: Method `assert_schema_accepts_item` of class `TaxonomySchemaTest` reads `self.valid_taxonomy`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69854, "scanner": "repobility-ast-engine", "fingerprint": "7e568e7ee247bb58991bf5e67ceaedbe4c19e2a9745e06123192e9be597488ec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e568e7ee247bb58991bf5e67ceaedbe4c19e2a9745e06123192e9be597488ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_grid_rejects_string_shorthand` of class `TaxonomySchemaTest` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69853, "scanner": "repobility-ast-engine", "fingerprint": "792ba469602df1a07df19a7b4c4452eb14d696bba08ca2c7bd6fb62334f0a89e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|792ba469602df1a07df19a7b4c4452eb14d696bba08ca2c7bd6fb62334f0a89e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.valid_taxonomy` used but never assigned in __init__: Method `test_grid_rejects_string_shorthand` of class `TaxonomySchemaTest` reads `self.valid_taxonomy`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69852, "scanner": "repobility-ast-engine", "fingerprint": "42bac659ac4ab18bd682c6f53e134c616feefe55afa49bc36d2cd7d0537aafff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|42bac659ac4ab18bd682c6f53e134c616feefe55afa49bc36d2cd7d0537aafff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_old_contexts_authoring_is_rejected` of class `TaxonomySchemaTest` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69851, "scanner": "repobility-ast-engine", "fingerprint": "d208aa1a93c7a050bdf0f8ec11c2f21fcf2f1ffcc1aba2e0f0204d5b8c8fd4bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d208aa1a93c7a050bdf0f8ec11c2f21fcf2f1ffcc1aba2e0f0204d5b8c8fd4bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.valid_taxonomy` used but never assigned in __init__: Method `test_old_contexts_authoring_is_rejected` of class `TaxonomySchemaTest` reads `self.valid_taxonomy`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69850, "scanner": "repobility-ast-engine", "fingerprint": "f6dbcca9c9f5577bc3c1cf860eb8262827f059a18068d5f2ea957a332445314f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f6dbcca9c9f5577bc3c1cf860eb8262827f059a18068d5f2ea957a332445314f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertTrue` used but never assigned in __init__: Method `test_section_path_authoring_is_rejected` of class `TaxonomySchemaTest` reads `self.assertTrue`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69849, "scanner": "repobility-ast-engine", "fingerprint": "12964d86443546ce05114dcbd0c1f564a52e61f8c09a4a4883951e22d17e5fdf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|12964d86443546ce05114dcbd0c1f564a52e61f8c09a4a4883951e22d17e5fdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.valid_taxonomy` used but never assigned in __init__: Method `test_section_path_authoring_is_rejected` of class `TaxonomySchemaTest` reads `self.valid_taxonomy`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69848, "scanner": "repobility-ast-engine", "fingerprint": "77909b53c49ff257598a845ded613216bb2f5e9a449947a9a00f8e64d2846632", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|77909b53c49ff257598a845ded613216bb2f5e9a449947a9a00f8e64d2846632"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.valid_taxonomy` used but never assigned in __init__: Method `test_valid_authoring_schema` of class `TaxonomySchemaTest` reads `self.valid_taxonomy`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69847, "scanner": "repobility-ast-engine", "fingerprint": "d48337338faa57319599a5f8d1226b03984e811c736b789eb27e3e3db76b6765", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d48337338faa57319599a5f8d1226b03984e811c736b789eb27e3e3db76b6765"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_valid_authoring_schema` of class `TaxonomySchemaTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69846, "scanner": "repobility-ast-engine", "fingerprint": "163323cbe5edc75d3cdf8dfa15fa3f03f2d6120ea8e237dde8d12a83fc23e122", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|163323cbe5edc75d3cdf8dfa15fa3f03f2d6120ea8e237dde8d12a83fc23e122"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_renderer_fields_are_rejected_as_item_body_siblings: Test function `test_renderer_fields_are_rejected_as_item_body_siblings` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69845, "scanner": "repobility-ast-engine", "fingerprint": "67a226aa365a4f960515813e986e0edebd2f3d92a2be4d400dfc478c8f8e05d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|67a226aa365a4f960515813e986e0edebd2f3d92a2be4d400dfc478c8f8e05d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_renderer_rejects_unknown_non_extension_key: Test function `test_renderer_rejects_unknown_non_extension_key` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69844, "scanner": "repobility-ast-engine", "fingerprint": "cd20fedf0c5694a2ea57d822963c5ca69607245b468ee476c4c3ce1484178e64", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cd20fedf0c5694a2ea57d822963c5ca69607245b468ee476c4c3ce1484178e64"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_renderer_allows_x_extension: Test function `test_renderer_allows_x_extension` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69843, "scanner": "repobility-ast-engine", "fingerprint": "801f1fc41de579a086a93abe96571883dd46f841a09de7051aecdb97df27b848", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|801f1fc41de579a086a93abe96571883dd46f841a09de7051aecdb97df27b848"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 219}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_view_switch_rejects_nested_view_switch: Test function `test_view_switch_rejects_nested_view_switch` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69842, "scanner": "repobility-ast-engine", "fingerprint": "7a7dd5e4c1c64aa1026c04c2444a2b0dedaaddb2311b9f4b68625de948f6950f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7a7dd5e4c1c64aa1026c04c2444a2b0dedaaddb2311b9f4b68625de948f6950f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_view_switch_rejects_flatten_branch: Test function `test_view_switch_rejects_flatten_branch` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69841, "scanner": "repobility-ast-engine", "fingerprint": "7e36cc2598d4af5d0736feaea5da9425accc50549ff5a43e22d2e459f675b170", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7e36cc2598d4af5d0736feaea5da9425accc50549ff5a43e22d2e459f675b170"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_view_switch_rejects_string_branch: Test function `test_view_switch_rejects_string_branch` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69840, "scanner": "repobility-ast-engine", "fingerprint": "f05d1acaf7b8fcfa115b1ed90addd32ef59ebdf117fda21f20ccff43037772cd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|f05d1acaf7b8fcfa115b1ed90addd32ef59ebdf117fda21f20ccff43037772cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_first_available_rejects_string_shorthand: Test function `test_first_available_rejects_string_shorthand` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69839, "scanner": "repobility-ast-engine", "fingerprint": "57943e4f28ba4a5d0e2d5356538553885c51a0c6f0364bea9e00af255b742b19", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|57943e4f28ba4a5d0e2d5356538553885c51a0c6f0364bea9e00af255b742b19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_flatten_rejects_nested_flatten: Test function `test_flatten_rejects_nested_flatten` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69838, "scanner": "repobility-ast-engine", "fingerprint": "11c78087962de70c1cf1f92f793ef9f967b04dea73b66457e388928ba207980c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|11c78087962de70c1cf1f92f793ef9f967b04dea73b66457e388928ba207980c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_grid_rejects_selector: Test function `test_grid_rejects_selector` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69837, "scanner": "repobility-ast-engine", "fingerprint": "d13a6d0156e00a7de5923cfd580745486d5d82694e9b9544981910160ac25171", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d13a6d0156e00a7de5923cfd580745486d5d82694e9b9544981910160ac25171"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_grid_rejects_owned_context: Test function `test_grid_rejects_owned_context` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69836, "scanner": "repobility-ast-engine", "fingerprint": "1d42d11d4782174cdff37ef4c35fe9943297962480d761463a448f484f016987", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1d42d11d4782174cdff37ef4c35fe9943297962480d761463a448f484f016987"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_view_switch_is_accepted: Test function `test_view_switch_is_accepted` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69835, "scanner": "repobility-ast-engine", "fingerprint": "b56d328cfe062e6bf0f2d77f02531b07e3a98f9a12461f5cf3bca45a7f49908e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b56d328cfe062e6bf0f2d77f02531b07e3a98f9a12461f5cf3bca45a7f49908e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_first_available_is_accepted: Test function `test_first_available_is_accepted` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69834, "scanner": "repobility-ast-engine", "fingerprint": "748ab483db566eb0d63203c02e56da40684e7051e0e1e26954fff4319c4178e7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|748ab483db566eb0d63203c02e56da40684e7051e0e1e26954fff4319c4178e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 95}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_flatten_is_accepted: Test function `test_flatten_is_accepted` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69833, "scanner": "repobility-ast-engine", "fingerprint": "cbfee303684507cf9fda095187f26995eb916b8c49538f259d0b64e5221284fa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|cbfee303684507cf9fda095187f26995eb916b8c49538f259d0b64e5221284fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_group_is_accepted: Test function `test_group_is_accepted` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69832, "scanner": "repobility-ast-engine", "fingerprint": "ae709c998d21124b1700fc69179c982fae6ea78d83a7dc5f70065711e82bd271", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae709c998d21124b1700fc69179c982fae6ea78d83a7dc5f70065711e82bd271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_explicit_owned_context_is_accepted: Test function `test_explicit_owned_context_is_accepted` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 69831, "scanner": "repobility-ast-engine", "fingerprint": "5cf9bdee732b8f117dbd50f9cdb24e45477099f6a66edb7cec7f28e4c3ad3f6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5cf9bdee732b8f117dbd50f9cdb24e45477099f6a66edb7cec7f28e4c3ad3f6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/tests/test_taxonomy.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_section_ancestor` used but never assigned in __init__: Method `_build_maps` of class `CategoryMapper` reads `self.get_section_ancestor`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 69830, "scanner": "repobility-ast-engine", "fingerprint": "15c053fbb359c6579bc79694be29b12057710486e9c1579772d0aaa2547ac73e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|15c053fbb359c6579bc79694be29b12057710486e9c1579772d0aaa2547ac73e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/gen_doc_collector_page.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 69818, "scanner": "repobility-docker", "fingerprint": "30c7f56df8aafcce94621e3a58313adc7c3e553e3a42c7c5e921aedd182f23fc", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${ORACLE_PORT:-1521}:1521", "target": "1521", "host_ip": "${ORACLE_PORT", "published": "-1521}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "oracledb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|30c7f56df8aafcce94621e3a58313adc7c3e553e3a42c7c5e921aedd182f23fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69808, "scanner": "repobility-docker", "fingerprint": "5e00a67f03f11a3c87ac2fe3d03025171314446751361d12a3cdc5a3515b28de", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "proxysql-init", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|5e00a67f03f11a3c87ac2fe3d03025171314446751361d12a3cdc5a3515b28de", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 207}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69803, "scanner": "repobility-docker", "fingerprint": "49bdb8796d379814bd289d594f5892fb367c735fb90404a9ab9cfe704ebe0eb0", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|49bdb8796d379814bd289d594f5892fb367c735fb90404a9ab9cfe704ebe0eb0", "expected_targets": ["/usr/share/elasticsearch/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 69802, "scanner": "repobility-docker", "fingerprint": "7c7e904374d017618d4dd661ff8a6940f72bde03ad8ba5be7b9d9f05896116be", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${ELASTICSEARCH_PORT:-9200}:9200", "target": "9200", "host_ip": "${ELASTICSEARCH_PORT", "published": "-9200}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "elasticsearch", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|7c7e904374d017618d4dd661ff8a6940f72bde03ad8ba5be7b9d9f05896116be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69800, "scanner": "repobility-docker", "fingerprint": "2371715f42efc28dad011bae1b6f7d1fa64fb25cb1a1998b0497e71d90aa7683", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "clickhouse-init", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|2371715f42efc28dad011bae1b6f7d1fa64fb25cb1a1998b0497e71d90aa7683", "expected_targets": ["/var/lib/clickhouse"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69798, "scanner": "repobility-docker", "fingerprint": "3ef14c11ed1564858df3f61d26c432e1a5bd484f5d0b01828b786191da02867b", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|3ef14c11ed1564858df3f61d26c432e1a5bd484f5d0b01828b786191da02867b", "expected_targets": ["/var/lib/clickhouse"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 69797, "scanner": "repobility-docker", "fingerprint": "371f46ec939e798a6a01adbb9785c640a3b65cd869aa817d1763bd3e181c27f4", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${CLICKHOUSE_HTTP_PORT:-8123}:8123", "target": "8123", "host_ip": "${CLICKHOUSE_HTTP_PORT", "published": "-8123}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "clickhouse", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|371f46ec939e798a6a01adbb9785c640a3b65cd869aa817d1763bd3e181c27f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 112}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 69791, "scanner": "repobility-docker", "fingerprint": "c93f141dba4ace553e3787325ad767290dc59aa8774ed3d7ddf2ef2f416e58b1", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${REDIS_PORT:-6379}:6379", "target": "6379", "host_ip": "${REDIS_PORT", "published": "-6379}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|c93f141dba4ace553e3787325ad767290dc59aa8774ed3d7ddf2ef2f416e58b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69789, "scanner": "repobility-docker", "fingerprint": "854dc67b787e19b14e06570d0fec4dc8fb0c9002912ef5689445b03b4726b6ec", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo-init", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|854dc67b787e19b14e06570d0fec4dc8fb0c9002912ef5689445b03b4726b6ec", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69787, "scanner": "repobility-docker", "fingerprint": "f0a199b84f405d8c78a342bce77698f67a88f021d7e067bc1532c5aff5890fce", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|f0a199b84f405d8c78a342bce77698f67a88f021d7e067bc1532c5aff5890fce", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 69786, "scanner": "repobility-docker", "fingerprint": "d3c0a2b62d0d708a334d42d5e57e53f31a81cd28e06129cebe5ef4d093e3a5be", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${MONGO_PORT:-27017}:27017", "target": "27017", "host_ip": "${MONGO_PORT", "published": "-27017}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mongo", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|d3c0a2b62d0d708a334d42d5e57e53f31a81cd28e06129cebe5ef4d093e3a5be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69780, "scanner": "repobility-docker", "fingerprint": "49a46bf1204bbf52f0c7805584ba43974c0a900bb09140cdd28c82af87f28f65", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mssql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|49a46bf1204bbf52f0c7805584ba43974c0a900bb09140cdd28c82af87f28f65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 69779, "scanner": "repobility-docker", "fingerprint": "5b5e7dbee59424215b6948043f538199afd1cd6464247d36e608059f47c7392b", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${MSSQL_PORT:-1433}:1433", "target": "1433", "host_ip": "${MSSQL_PORT", "published": "-1433}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mssql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|5b5e7dbee59424215b6948043f538199afd1cd6464247d36e608059f47c7392b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69774, "scanner": "repobility-docker", "fingerprint": "e7f29fe77c5807416c98e49654e309a7ab56cde39efcb6631ce3a03622fd15bc", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|e7f29fe77c5807416c98e49654e309a7ab56cde39efcb6631ce3a03622fd15bc", "expected_targets": ["/var/lib/mysql"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 69773, "scanner": "repobility-docker", "fingerprint": "dd46b9b87f8f2ff3fcc839f42d9c0df9c3eb24385801c245fab061dcfabfe2a0", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${MYSQL_PORT:-3306}:3306", "target": "3306", "host_ip": "${MYSQL_PORT", "published": "-3306}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mysql", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|dd46b9b87f8f2ff3fcc839f42d9c0df9c3eb24385801c245fab061dcfabfe2a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 69770, "scanner": "repobility-docker", "fingerprint": "a3f9189195652d56e43e77135c316e7c843826c83fc389e0743732cc7fe6846e", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|a3f9189195652d56e43e77135c316e7c843826c83fc389e0743732cc7fe6846e", "expected_targets": ["/var/lib/postgresql/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 69769, "scanner": "repobility-docker", "fingerprint": "284a470991a10c5841269f55182a05242ea1667cc6799ac8fe6aacae8a2eafcf", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "${POSTGRES_PORT:-5432}:5432", "target": "5432", "host_ip": "${POSTGRES_PORT", "published": "-5432}"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "postgres", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|284a470991a10c5841269f55182a05242ea1667cc6799ac8fe6aacae8a2eafcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 69725, "scanner": "repobility-threat-engine", "fingerprint": "4de070e664f849f4fa5cf86e62d44c49aaaa5730d9ee98c8721bb125bb9259c1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4de070e664f849f4fa5cf86e62d44c49aaaa5730d9ee98c8721bb125bb9259c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/go.d/collector/ceph/collector.go"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC088", "level": "error", "message": {"text": "[SEC088] Go: TLS InsecureSkipVerify=true: tls.Config{InsecureSkipVerify:true} disables certificate verification \u2014 MITM risk. Ported from gosec G402 (Apache-2.0)."}, "properties": {"repobilityId": 69724, "scanner": "repobility-threat-engine", "fingerprint": "971f78248f96f13c5d66cefda863ded409c34bf5121879e713bd5d064fe99290", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "InsecureSkipVerify: true", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC088", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|971f78248f96f13c5d66cefda863ded409c34bf5121879e713bd5d064fe99290"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/go.d/collector/ceph/collector.go"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 69723, "scanner": "repobility-threat-engine", "fingerprint": "daa9c25900fb1c049b22bf9b3308ff760945d59aa49829ea8d87d494e093e0f0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|daa9c25900fb1c049b22bf9b3308ff760945d59aa49829ea8d87d494e093e0f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/framework/functions/manager_worker.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 69722, "scanner": "repobility-threat-engine", "fingerprint": "10772e7bd37716f75fab00bd15b5f01cc9bfb90eaced6c7912f960ee7c662511", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.Command(ndrunPath,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|10772e7bd37716f75fab00bd15b5f01cc9bfb90eaced6c7912f960ee7c662511"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/go.d/collector/nvidia_smi/exec.go"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 69721, "scanner": "repobility-threat-engine", "fingerprint": "f897f7b31825fa3b88deae1b213783471fa29e2d89d0015837a4cdec5ae0b6a1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f897f7b31825fa3b88deae1b213783471fa29e2d89d0015837a4cdec5ae0b6a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/agent/secrets/resolver/cmd.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 69719, "scanner": "repobility-threat-engine", "fingerprint": "0092630079ee555959cc12f048c006de4ef366d150dc3f7f81878754bb72f7f4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0092630079ee555959cc12f048c006de4ef366d150dc3f7f81878754bb72f7f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/agent/jobmgr/job_factory.go"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 69718, "scanner": "repobility-threat-engine", "fingerprint": "1351cec4b4ed53f131f7146fe2b6f8d097ef6e8784266fdc0237c980be1366ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1351cec4b4ed53f131f7146fe2b6f8d097ef6e8784266fdc0237c980be1366ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/pkg/prometheus/client.go"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 69717, "scanner": "repobility-threat-engine", "fingerprint": "5ea16b92e6636cd68f5b12f2781b912332c3065cb3ec7e78fcb53421e9a0c838", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ea16b92e6636cd68f5b12f2781b912332c3065cb3ec7e78fcb53421e9a0c838"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/pkg/netdataapi/api.go"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 69699, "scanner": "repobility-threat-engine", "fingerprint": "3e218901f8fa21465054e57195339494a8e2bcae2c9e359fde0f4325b76c650e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e218901f8fa21465054e57195339494a8e2bcae2c9e359fde0f4325b76c650e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/go.d/collector/boinc/client.go"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 69698, "scanner": "repobility-threat-engine", "fingerprint": "c8e242ccf7d4f35d099037ba8f802ec699de575072eb6d29ba3cd9de0f6a9f3a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c8e242ccf7d4f35d099037ba8f802ec699de575072eb6d29ba3cd9de0f6a9f3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/go.d/collector/azure_monitor/helpers.go"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 69697, "scanner": "repobility-threat-engine", "fingerprint": "0ab1f51df025c49b2c7acc67b5a491eb9077827e1b9fd55151d1104b038c0fe8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ab1f51df025c49b2c7acc67b5a491eb9077827e1b9fd55151d1104b038c0fe8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/rdp/src/main.rs"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 69682, "scanner": "repobility-threat-engine", "fingerprint": "9cb2e3a1a3b9687444403cf3538a6f9fc1ea515934c42fbf44d171e3a033707b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9cb2e3a1a3b9687444403cf3538a6f9fc1ea515934c42fbf44d171e3a033707b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/journal-core/src/file/cursor.rs"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 69681, "scanner": "repobility-threat-engine", "fingerprint": "d2fb4633e673ade00dab777ef508e0632607ff67bf1c7fedf328e7d8da38be5e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d2fb4633e673ade00dab777ef508e0632607ff67bf1c7fedf328e7d8da38be5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/jf/journal_file/src/cursor.rs"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 69679, "scanner": "repobility-threat-engine", "fingerprint": "74eb78961c88c26c5390b48f9fd6fae62da03a27d6f388768c2feea6532075f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|74eb78961c88c26c5390b48f9fd6fae62da03a27d6f388768c2feea6532075f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/jf/journal_reader_ffi/build.rs"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 69678, "scanner": "repobility-threat-engine", "fingerprint": "f618dd26a88faff58ee820d172bef4d45c649b3f385fa4b109b4efda477cc5df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f618dd26a88faff58ee820d172bef4d45c649b3f385fa4b109b4efda477cc5df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/jf/journal_file/src/hash.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 69677, "scanner": "repobility-threat-engine", "fingerprint": "568a3c4398f98c296e1fee0a035b15aa43ed724449c13d81ab2057e1e8ff682d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|568a3c4398f98c296e1fee0a035b15aa43ed724449c13d81ab2057e1e8ff682d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/jf/journal_file/src/cursor.rs"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 69668, "scanner": "repobility-threat-engine", "fingerprint": "57eb6ce9499eb8fb9d52b83266a79e9a2ec85d9d1ee7da9b03a653967c30f1a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|57eb6ce9499eb8fb9d52b83266a79e9a2ec85d9d1ee7da9b03a653967c30f1a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/_collections.py"}, "region": {"startLine": 211}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 69667, "scanner": "repobility-threat-engine", "fingerprint": "c4ab9af57082a7ce8e9f172b667238e03981cbdc522381ba04946b592238ec34", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c4ab9af57082a7ce8e9f172b667238e03981cbdc522381ba04946b592238ec34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/pyyaml3/error.py"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 69666, "scanner": "repobility-threat-engine", "fingerprint": "ab37699db5de4e7dbce267326b12e5c32f9a35cbe5f7d6c243886d339e4c3f30", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ab37699db5de4e7dbce267326b12e5c32f9a35cbe5f7d6c243886d339e4c3f30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/bases/FrameworkServices/UrlService.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 69661, "scanner": "repobility-threat-engine", "fingerprint": "498edf9df60053aac8b4c7ea953c6fddc103e4b9e25048479c5ce25f4d24c141", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "self.update(index+1)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|498edf9df60053aac8b4c7ea953c6fddc103e4b9e25048479c5ce25f4d24c141"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/pyyaml3/reader.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 69660, "scanner": "repobility-threat-engine", "fingerprint": "3e7250ee75f80262f726e4e003a22415a2c8ec3c4dd6e8c525d18f3778ba4f51", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "properties.update(extra_conf)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3e7250ee75f80262f726e4e003a22415a2c8ec3c4dd6e8c525d18f3778ba4f51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/bases/FrameworkServices/MySQLService.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 69659, "scanner": "repobility-threat-engine", "fingerprint": "c03beb9c0df67ef3b64be668f1cf2a75b1accd50419e4f48aca94a28d2c378a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "data.update(data_tmp)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c03beb9c0df67ef3b64be668f1cf2a75b1accd50419e4f48aca94a28d2c378a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/pandas/pandas.chart.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC032", "level": "error", "message": {"text": "[SEC032] Unrestricted File Upload \u2014 no extension/MIME validation: File upload accepts the user's filename without validating extension, content-type, or magic bytes. Attackers upload `.php`, `.jsp`, or executable files to a web-served directory, then visit the URL to trigger RCE. CWE-434. Examples: Apache Struts (CVE-2017-9805), countless WordPress plugin RCEs."}, "properties": {"repobilityId": 69657, "scanner": "repobility-threat-engine", "fingerprint": "c4ffd887529c2ce123dd025f89cee43dad26cec2f2d0cfadd995b93e467ee148", "category": "file_upload", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "open(values[PAGES_SHARED].filename,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC032", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c4ffd887529c2ce123dd025f89cee43dad26cec2f2d0cfadd995b93e467ee148"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/proc.plugin/sys_kernel_mm_ksm.c"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC032", "level": "error", "message": {"text": "[SEC032] Unrestricted File Upload \u2014 no extension/MIME validation: File upload accepts the user's filename without validating extension, content-type, or magic bytes. Attackers upload `.php`, `.jsp`, or executable files to a web-served directory, then visit the URL to trigger RCE. CWE-434. Examples: Apache Struts (CVE-2017-9805), countless WordPress plugin RCEs."}, "properties": {"repobilityId": 69656, "scanner": "repobility-threat-engine", "fingerprint": "0efd51d2d0c45a83ec5017824648c9eb5fa0b03b7d94be8407ae7917b7744d34", "category": "file_upload", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "open(m->numastat.filename,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC032", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0efd51d2d0c45a83ec5017824648c9eb5fa0b03b7d94be8407ae7917b7744d34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/proc.plugin/sys_devices_system_node.c"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 69646, "scanner": "repobility-threat-engine", "fingerprint": "c42b0ee3fb291c64e9ae011ebf8084009cb6d6883d1ba26320670403266d4947", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(REQUEST", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|33|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packaging/windows/fetch-msys2-installer.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 69629, "scanner": "repobility-threat-engine", "fingerprint": "11617619ca9cabf10b9eff564b1ee9786c2076142b1bab673b5eb2be91aafa0f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|11617619ca9cabf10b9eff564b1ee9786c2076142b1bab673b5eb2be91aafa0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/netdata-pkgcloud-cleanup.py"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 69628, "scanner": "repobility-threat-engine", "fingerprint": "4d391aa010922d5cc1e23afc10cf97d15d9a8b64d64b1c0afad262abd420f1e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4d391aa010922d5cc1e23afc10cf97d15d9a8b64d64b1c0afad262abd420f1e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/modules/version_manipulation.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 69626, "scanner": "repobility-threat-engine", "fingerprint": "d721a43cc5d783a354cdda0ddf8ca2c9bc503883b82e0bacc7ecacdcfb843fc6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d721a43cc5d783a354cdda0ddf8ca2c9bc503883b82e0bacc7ecacdcfb843fc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/platform-impending-eol.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 69625, "scanner": "repobility-threat-engine", "fingerprint": "29b1ea93616b62926d6a32449cba2e8570d60efa15fcbd9a37cf60d5eb31a6e3", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29b1ea93616b62926d6a32449cba2e8570d60efa15fcbd9a37cf60d5eb31a6e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/netdata-pkgcloud-cleanup.py"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 69624, "scanner": "repobility-threat-engine", "fingerprint": "b7d4ff6a8ac05c9be92980a6275f5ae6e4b5d816785f9741a3276f11f531f9df", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(remote_url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b7d4ff6a8ac05c9be92980a6275f5ae6e4b5d816785f9741a3276f11f531f9df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/modules/version_manipulation.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED040", "level": "error", "message": {"text": "[MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize arbitrary classes."}, "properties": {"repobilityId": 69620, "scanner": "repobility-threat-engine", "fingerprint": "b194ca4cc14d679a9be36e135e632c31a8a08a003ba0e02cc664bf96a0b44c55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-yaml-load-unsafe", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347991+00:00", "triaged_in_corpus": 15, "observations_count": 1487, "ai_coder_pattern_id": 120}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b194ca4cc14d679a9be36e135e632c31a8a08a003ba0e02cc664bf96a0b44c55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-eol-check.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED040", "level": "error", "message": {"text": "[MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize arbitrary classes."}, "properties": {"repobilityId": 69619, "scanner": "repobility-threat-engine", "fingerprint": "3a39d12aad7e74fd14176cb093bafa53018a23052c5f41f129ffca5f15cd1b4f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-yaml-load-unsafe", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347991+00:00", "triaged_in_corpus": 15, "observations_count": 1487, "ai_coder_pattern_id": 120}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a39d12aad7e74fd14176cb093bafa53018a23052c5f41f129ffca5f15cd1b4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-docker.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED040", "level": "error", "message": {"text": "[MINED040] Python Yaml Load Unsafe: yaml.load(stream) without SafeLoader can deserialize arbitrary classes."}, "properties": {"repobilityId": 69618, "scanner": "repobility-threat-engine", "fingerprint": "15cb11d598db09b43dbe8b94d40c8c28d67a01cb5a3dbe96cf42f55aa89d21d4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-yaml-load-unsafe", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347991+00:00", "triaged_in_corpus": 15, "observations_count": 1487, "ai_coder_pattern_id": 120}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15cb11d598db09b43dbe8b94d40c8c28d67a01cb5a3dbe96cf42f55aa89d21d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-build.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 69601, "scanner": "repobility-threat-engine", "fingerprint": "9c3af34f86d11d376391b2a24f6b86d426c110cf503a3b115fe1413af41fee04", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9c3af34f86d11d376391b2a24f6b86d426c110cf503a3b115fe1413af41fee04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/get-go-version.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED021", "level": "error", "message": {"text": "[MINED021] Path Traversal Os Join: os.path.join(user_dir, filename) where filename can contain \"../\" \u2014 directory escape."}, "properties": {"repobilityId": 69600, "scanner": "repobility-threat-engine", "fingerprint": "8d452a4ede845bc3846739d98a4ea6d46eb68c73123ee70107f5daeb06d8aff8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "path-traversal-os-join", "owasp": "A01:2021", "cwe_ids": ["CWE-22"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347947+00:00", "triaged_in_corpus": 15, "observations_count": 45678, "ai_coder_pattern_id": 31}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8d452a4ede845bc3846739d98a4ea6d46eb68c73123ee70107f5daeb06d8aff8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check_latest_versions.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69950, "scanner": "repobility-supply-chain", "fingerprint": "3388beb485f01a1071dad9318cf1b84f5afba48eb7d980647b11f4d500a17849", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3388beb485f01a1071dad9318cf1b84f5afba48eb7d980647b11f4d500a17849"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 791}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69949, "scanner": "repobility-supply-chain", "fingerprint": "621ac1de99b4f3cfd333161cb1d0594bf870e15df7c644bc20826ae82e142449", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|621ac1de99b4f3cfd333161cb1d0594bf870e15df7c644bc20826ae82e142449"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 731}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69948, "scanner": "repobility-supply-chain", "fingerprint": "f0e18ab3054c70b9d579afc188333c03f2a2956ae4021561d93d3ac46816f548", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0e18ab3054c70b9d579afc188333c03f2a2956ae4021561d93d3ac46816f548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 631}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NETDATABOT_QUAY_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NETDATABOT_QUAY_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69947, "scanner": "repobility-supply-chain", "fingerprint": "2548f63245cc65ae62c20db33391f66d07c6b766e0e5b8ccbaf55797dd299c76", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2548f63245cc65ae62c20db33391f66d07c6b766e0e5b8ccbaf55797dd299c76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 606}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NETDATABOT_QUAY_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NETDATABOT_QUAY_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69946, "scanner": "repobility-supply-chain", "fingerprint": "58a1034d1ccf818382b8efa7bccac517809a0183ccba327b4be38ff762105333", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|58a1034d1ccf818382b8efa7bccac517809a0183ccba327b4be38ff762105333"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 605}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69945, "scanner": "repobility-supply-chain", "fingerprint": "5528d33e254be3a7fb7277aa8ca2539136a30104dc0fd7f6a8ff6c051dfd6487", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5528d33e254be3a7fb7277aa8ca2539136a30104dc0fd7f6a8ff6c051dfd6487"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 571}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NETDATABOT_QUAY_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NETDATABOT_QUAY_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69944, "scanner": "repobility-supply-chain", "fingerprint": "31215847fd54ea8074ee5055d5d6d6b1799e3ad88cc5b7c3464528716e8846b6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31215847fd54ea8074ee5055d5d6d6b1799e3ad88cc5b7c3464528716e8846b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 522}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NETDATABOT_QUAY_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NETDATABOT_QUAY_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69943, "scanner": "repobility-supply-chain", "fingerprint": "868e5899a775a5655761cf083a0513e65837f1e19ac96977de855d0c8275f7f1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|868e5899a775a5655761cf083a0513e65837f1e19ac96977de855d0c8275f7f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 521}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69942, "scanner": "repobility-supply-chain", "fingerprint": "b2f79ac032392e44b01590db88038340a3f2297df4be648686d16f241a7437e9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2f79ac032392e44b01590db88038340a3f2297df4be648686d16f241a7437e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 471}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_HUB_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_HUB_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69941, "scanner": "repobility-supply-chain", "fingerprint": "3ecab394a3a54290b92d087e48e9ddcd5b589ee5cd69acb650dfeee62e8e3daa", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ecab394a3a54290b92d087e48e9ddcd5b589ee5cd69acb650dfeee62e8e3daa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 446}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_HUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_HUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69940, "scanner": "repobility-supply-chain", "fingerprint": "d577c134c54b5abcc555f404e7f23d44286d1027c979d24cc3925357e1a18c79", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d577c134c54b5abcc555f404e7f23d44286d1027c979d24cc3925357e1a18c79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 445}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69939, "scanner": "repobility-supply-chain", "fingerprint": "05339bc2f06cc631dcfbba030d92da1f7151658b99c403a299030829d653c6f4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|05339bc2f06cc631dcfbba030d92da1f7151658b99c403a299030829d653c6f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 412}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_HUB_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_HUB_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69938, "scanner": "repobility-supply-chain", "fingerprint": "ad9743179f93f879520b34bb788c561371ca58c0220d9cb5e99b7e13f20adf1c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad9743179f93f879520b34bb788c561371ca58c0220d9cb5e99b7e13f20adf1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 363}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_HUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_HUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69937, "scanner": "repobility-supply-chain", "fingerprint": "8f0355b0b269a1f0955dacc85e8eb1b074e471f75ceaec969ffca9799f75b814", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f0355b0b269a1f0955dacc85e8eb1b074e471f75ceaec969ffca9799f75b814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 362}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69936, "scanner": "repobility-supply-chain", "fingerprint": "f8dc8c6515ba422a7871689fb34e328299fd9df721e4afaae988c56c37839175", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8dc8c6515ba422a7871689fb34e328299fd9df721e4afaae988c56c37839175"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 284}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69935, "scanner": "repobility-supply-chain", "fingerprint": "e6148916028309d85a216adf7f8ef762816b425a2184a9d3a2bebef75d971a0c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6148916028309d85a216adf7f8ef762816b425a2184a9d3a2bebef75d971a0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69934, "scanner": "repobility-supply-chain", "fingerprint": "eda22c193c124177a4d959db0a475fbfa88797b5789139abd3b0fdc5c1077b33", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eda22c193c124177a4d959db0a475fbfa88797b5789139abd3b0fdc5c1077b33"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repoconfig-packages.yml"}, "region": {"startLine": 180}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NETDATABOT_PACKAGE_SIGNING_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NETDATABOT_PACKAGE_SIGNING_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69933, "scanner": "repobility-supply-chain", "fingerprint": "8c3024d139c0fbb86dd5a494b45bfe880287efe419bbdf280ff10d4075548bd2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8c3024d139c0fbb86dd5a494b45bfe880287efe419bbdf280ff10d4075548bd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repoconfig-packages.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PACKAGES_KNOWN_HOSTS` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PACKAGES_KNOWN_HOSTS }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69932, "scanner": "repobility-supply-chain", "fingerprint": "bda8aedccf903fac4a4647529cab2e599ba48ba894bed91e7bba51456bf67b71", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bda8aedccf903fac4a4647529cab2e599ba48ba894bed91e7bba51456bf67b71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repoconfig-packages.yml"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NETDATABOT_PACKAGES_SSH_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NETDATABOT_PACKAGES_SSH_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69931, "scanner": "repobility-supply-chain", "fingerprint": "f55f03153a9455999c08bc3251dd0335de03dcaeb5280043d60210d406266f95", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f55f03153a9455999c08bc3251dd0335de03dcaeb5280043d60210d406266f95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repoconfig-packages.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PACKAGE_CLOUD_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PACKAGE_CLOUD_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69930, "scanner": "repobility-supply-chain", "fingerprint": "1c06adc4ce1125b9e091120cea851958d47056c14144a3b85d47cf53611b8435", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1c06adc4ce1125b9e091120cea851958d47056c14144a3b85d47cf53611b8435"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repoconfig-packages.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69929, "scanner": "repobility-supply-chain", "fingerprint": "cc52139fe70fed115820b7356863217375092d0f3c5322a680c3b08da834d278", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc52139fe70fed115820b7356863217375092d0f3c5322a680c3b08da834d278"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/repoconfig-packages.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SLACK_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69905, "scanner": "repobility-supply-chain", "fingerprint": "f550ca855236d42a230d158aaf4f16b971aa88fbc06e5667e84f9f7838c1dbd4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f550ca855236d42a230d158aaf4f16b971aa88fbc06e5667e84f9f7838c1dbd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverity.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COVERITY_SCAN_SUBMIT_MAIL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COVERITY_SCAN_SUBMIT_MAIL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69904, "scanner": "repobility-supply-chain", "fingerprint": "49f6709bf6b7409fbb1c29cfb3141b36ac0f548e9e4f0a41ca7838462b405c78", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|49f6709bf6b7409fbb1c29cfb3141b36ac0f548e9e4f0a41ca7838462b405c78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverity.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.COVERITY_SCAN_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COVERITY_SCAN_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 69903, "scanner": "repobility-supply-chain", "fingerprint": "e93b4b9f0a156f355c4c8a5f0d2a3a97eea5d64d71d57ef4cf9dc8622effa148", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e93b4b9f0a156f355c4c8a5f0d2a3a97eea5d64d71d57ef4cf9dc8622effa148"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/coverity.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 69893, "scanner": "repobility-ast-engine", "fingerprint": "3fc222d30c01b73f8d645ce7317c9ec4bfd35e79c5ce74cacff94bf0bb064192", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3fc222d30c01b73f8d645ce7317c9ec4bfd35e79c5ce74cacff94bf0bb064192"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/contrib/_securetransport/low_level.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `http` used but not imported: The file uses `http.something(...)` but never imports `http`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 69875, "scanner": "repobility-ast-engine", "fingerprint": "ee4558cea85fe22541931697f14af72053095d0866c15070e67cbaee0769c682", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ee4558cea85fe22541931697f14af72053095d0866c15070e67cbaee0769c682"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packaging/dag/test_command.py"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED107", "level": "error", "message": {"text": "[MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes."}, "properties": {"repobilityId": 69828, "scanner": "repobility-ast-engine", "fingerprint": "1eafcf29f6aeb4c2cc9a6043f600e4d3fae7695ff8a41d3120e210958a5278ab", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "missing-import-python", "owasp": "A06:2021", "cwe_ids": ["CWE-1075"], "languages": ["python"], "observations_count": 2192}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1eafcf29f6aeb4c2cc9a6043f600e4d3fae7695ff8a41d3120e210958a5278ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "integrations/gen_docs_integrations.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 69816, "scanner": "repobility-docker", "fingerprint": "4c07c6e112b69876cb8280a4ece15e829505c4640e6e19494b54ae016985f49d", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "oracledb", "variable": "ORACLE_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|4c07c6e112b69876cb8280a4ece15e829505c4640e6e19494b54ae016985f49d", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 69799, "scanner": "repobility-docker", "fingerprint": "d10e7c3d9bc395eca2ae2a054a8338d7ec9265ad6a16499c532c5f663dd1f29d", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "clickhouse-init", "variable": "CH_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|d10e7c3d9bc395eca2ae2a054a8338d7ec9265ad6a16499c532c5f663dd1f29d", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 69788, "scanner": "repobility-docker", "fingerprint": "5ab155b6a9447018d410bc379fc0f0fb26c13b3661d47ba6c92f039e33867bac", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mongo-init", "variable": "MONGO_INITDB_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|5ab155b6a9447018d410bc379fc0f0fb26c13b3661d47ba6c92f039e33867bac", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 69785, "scanner": "repobility-docker", "fingerprint": "7e1ea3064f7609aa3433be9024332f1a67d701c326e508d046e17f7a6f7c927e", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mongo", "variable": "MONGO_INITDB_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|7e1ea3064f7609aa3433be9024332f1a67d701c326e508d046e17f7a6f7c927e", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 69782, "scanner": "repobility-docker", "fingerprint": "24374a09cda6883cef32e2c4ff4a3c3563febd3f4d32fc721b4a4d63d681ce30", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mssql-init", "variable": "MSSQL_SA_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|24374a09cda6883cef32e2c4ff4a3c3563febd3f4d32fc721b4a4d63d681ce30", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 69777, "scanner": "repobility-docker", "fingerprint": "6763dd269127f806402d2e811e748e7f2c52d1529f5b0f2d6a96e14c2e100719", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mssql", "variable": "MSSQL_SA_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|6763dd269127f806402d2e811e748e7f2c52d1529f5b0f2d6a96e14c2e100719", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 69772, "scanner": "repobility-docker", "fingerprint": "0bf40eef91e775f99c253596385981e315827f8bb792d015fe775b5817a05cc2", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mysql", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|0bf40eef91e775f99c253596385981e315827f8bb792d015fe775b5817a05cc2", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 69768, "scanner": "repobility-docker", "fingerprint": "9ef45cab15687f9dcb95f6e60815789cf01544366e121dd250bd1d574759dc5c", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "postgres", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|9ef45cab15687f9dcb95f6e60815789cf01544366e121dd250bd1d574759dc5c", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/tools/functions-validation/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 69726, "scanner": "repobility-threat-engine", "fingerprint": "68d138f59bdbe68b6f3aa06dc6cb506ac0b53d974a60c3646b88dcb38494f938", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "postgres://postgres:postgres@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|3|token", "duplicate_count": 1, "duplicate_rule_ids": ["SEC022"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["68d138f59bdbe68b6f3aa06dc6cb506ac0b53d974a60c3646b88dcb38494f938", "9114f6adae622dfdbd47890c3309d079008a1f4a578079160bdbe34eddb31b0b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/go.d/collector/pgbouncer/collector.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 69696, "scanner": "repobility-threat-engine", "fingerprint": "5739e946304244f932c6e77bf1a8248308d26b7765da31474d5b13878c66237f", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5739e946304244f932c6e77bf1a8248308d26b7765da31474d5b13878c66237f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/netflow-plugin/src/enrichment/classifiers/runtime/eval/action.rs"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 69695, "scanner": "repobility-threat-engine", "fingerprint": "39f83468ecbcdf38e47fe3b4a21979625bb015bbc0cd5bc8a0b37f0b36ab7ee7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39f83468ecbcdf38e47fe3b4a21979625bb015bbc0cd5bc8a0b37f0b36ab7ee7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/crates/netflow-plugin/src/enrichment/classifiers/helpers.rs"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED022", "level": "error", "message": {"text": "[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf."}, "properties": {"repobilityId": 69676, "scanner": "repobility-threat-engine", "fingerprint": "49678069e497d83858e6a620720fc9a8bd2592a87b0fa873171c20af6df0f667", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-strcpy", "owasp": null, "cwe_ids": ["CWE-120"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347949+00:00", "triaged_in_corpus": 20, "observations_count": 39114, "ai_coder_pattern_id": 130}, "scanner": "repobility-threat-engine", "correlation_key": "fp|49678069e497d83858e6a620720fc9a8bd2592a87b0fa873171c20af6df0f667"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/windows-events.plugin/windows-events-xml.c"}, "region": {"startLine": 238}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 69649, "scanner": "repobility-threat-engine", "fingerprint": "9b3a76ca95848017747be03ef3dbe4d91e0541aa6442d319678637ee9a15eae8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9b3a76ca95848017747be03ef3dbe4d91e0541aa6442d319678637ee9a15eae8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/go/plugin/go.d/collector/pgbouncer/collector.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 69648, "scanner": "repobility-threat-engine", "fingerprint": "714826caa0706d7671570c85c5f72e9732bc728698954b613f8b4a958eb6275c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|714826caa0706d7671570c85c5f72e9732bc728698954b613f8b4a958eb6275c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/collectors/python.d.plugin/python_modules/urllib3/util/url.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 69647, "scanner": "repobility-threat-engine", "fingerprint": "1b39d7f316b817ead2d28d5dc3b85072c3a60faecd01f0e3dfc1954ed003bf98", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b39d7f316b817ead2d28d5dc3b85072c3a60faecd01f0e3dfc1954ed003bf98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/aclk/aclk_proxy.c"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 69616, "scanner": "repobility-threat-engine", "fingerprint": "7e6e32a11bbbb0adc486bff06dbedd8fd51a378a6fd407c07cef289129a622a5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7e6e32a11bbbb0adc486bff06dbedd8fd51a378a6fd407c07cef289129a622a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-eol-check.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 69615, "scanner": "repobility-threat-engine", "fingerprint": "f2458eaabc2a0515e0a6c1e9759100a2468157351c38df59e20fa28f066fe706", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2458eaabc2a0515e0a6c1e9759100a2468157351c38df59e20fa28f066fe706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-docker.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 69614, "scanner": "repobility-threat-engine", "fingerprint": "a3825575ecd3f33b6cab7ec83e29a1dbc5586764bc2055e3d25baf78190a009c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a3825575ecd3f33b6cab7ec83e29a1dbc5586764bc2055e3d25baf78190a009c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-build.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 69612, "scanner": "repobility-threat-engine", "fingerprint": "c25a2ddb6a0ebe30e4dbd969652fd6d5b9978197cc6a8e543b167e3d32568cf1", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|. token|12|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-eol-check.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 69611, "scanner": "repobility-threat-engine", "fingerprint": "5ff219f30c17b4052aa0284a412c966bbe41f89ca5631de64986b1dc32168ff4", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|. token|13|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-docker.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 69610, "scanner": "repobility-threat-engine", "fingerprint": "f0592e983343163cca33137603efea3a587040bc0b6b5890250bc96b3f768f6e", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|. token|11|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-build.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 69608, "scanner": "repobility-threat-engine", "fingerprint": "038e8d6627de65d58c39b32a7a091dbdb8405aab44b5a45e88a7be94a092a0ed", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(f)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|038e8d6627de65d58c39b32a7a091dbdb8405aab44b5a45e88a7be94a092a0ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-eol-check.py"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 69607, "scanner": "repobility-threat-engine", "fingerprint": "814b05ae1d2400e695bfc7e89323837cdf3284d0f77b6c777be4b40716bce60d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(f)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|814b05ae1d2400e695bfc7e89323837cdf3284d0f77b6c777be4b40716bce60d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-docker.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 69606, "scanner": "repobility-threat-engine", "fingerprint": "a709760dc8ce2210d44c6b76964e95d02f7ba297e403e41f6ad641c7325abc8c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(f)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a709760dc8ce2210d44c6b76964e95d02f7ba297e403e41f6ad641c7325abc8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/gen-matrix-build.py"}, "region": {"startLine": 11}}}]}]}]}