{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC002", "name": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code.", "shortDescription": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "fullDescription": {"text": "Use environment variables. Add the pattern to .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED088", "name": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.", "shortDescription": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 47 more): Same pattern found in 47 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 103 more): Same pattern found in 103 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 103 more): Same pattern found in 103 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at ", "shortDescription": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compro"}, "fullDescription": {"text": "Replace with: `uses: actions/upload-artifact@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC026", "name": "[SEC026] XML External Entity (XXE) \u2014 Ruby Nokogiri default: Ruby XML parsers (Nokogiri, REXML, libxml-ruby) expand exter", "shortDescription": {"text": "[SEC026] XML External Entity (XXE) \u2014 Ruby Nokogiri default: Ruby XML parsers (Nokogiri, REXML, libxml-ruby) expand external entities by default. REXML in particular has historical billion-laughs vulnerabilities."}, "fullDescription": {"text": "Nokogiri: pass options to disable network + external entities:\n  Nokogiri::XML(xml) { |c| c.options &= ~Nokogiri::XML::ParseOptions::NONET }\nREXML: avoid; switch to Nokogiri or Ox with hardened options."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED010", "name": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic.", "shortDescription": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.RELEASE_LABEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_requ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.RELEASE_LABEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_LABEL_TOKEN }` lets a PR from any fork exfiltrat"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1147"}, "properties": {"repository": "MetaMask/metamask-extension", "repoUrl": "https://github.com/MetaMask/metamask-extension", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 114508, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 114502, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js", "Koa"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 114501, "scanner": "repobility-agent-runtime", "fingerprint": "358e48c816584062ddc9992a8f2f89dc05f0873b19cfaed5adfdf8b3e588d4f9", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|358e48c816584062ddc9992a8f2f89dc05f0873b19cfaed5adfdf8b3e588d4f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/controllers/metametrics-controller.ts"}, "region": {"startLine": 575}}}]}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 114500, "scanner": "repobility-agent-runtime", "fingerprint": "f17790de52b48b9294ea6c454e518ec4eb9827a0d74bbd85700129309c0ebb78", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|f17790de52b48b9294ea6c454e518ec4eb9827a0d74bbd85700129309c0ebb78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/background.js"}, "region": {"startLine": 853}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 114499, "scanner": "repobility-agent-runtime", "fingerprint": "e63d0fff8620962cfbb45a4b7b91171104f07eeb04c1ff0a97d3b84f93b4a37e", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|e63d0fff8620962cfbb45a4b7b91171104f07eeb04c1ff0a97d3b84f93b4a37e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/bundle.sh"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 114475, "scanner": "repobility-threat-engine", "fingerprint": "d391671f6a690b2e9fa1c0790322e4fc80e1180cd1f6796c6397dc9675298096", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d391671f6a690b2e9fa1c0790322e4fc80e1180cd1f6796c6397dc9675298096"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/confirm/info/row/url.stories.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 114474, "scanner": "repobility-threat-engine", "fingerprint": "339806edf08ef92c057618e3251bbc68bbf6cf4d607a6d5fd26229c70dfae4b5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|339806edf08ef92c057618e3251bbc68bbf6cf4d607a6d5fd26229c70dfae4b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/confirm/info/row/text.stories.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 114473, "scanner": "repobility-threat-engine", "fingerprint": "d6b3bfa4c35ef63e7bd614736dc2061f5e172e354513a900879593ca303b7e07", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d6b3bfa4c35ef63e7bd614736dc2061f5e172e354513a900879593ca303b7e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/alert-system/general-alert/general-alert.stories.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC002", "level": "warning", "message": {"text": "[SEC002] Hardcoded API Key: Hardcoded API key found in source code."}, "properties": {"repobilityId": 114455, "scanner": "repobility-threat-engine", "fingerprint": "e8b3931c84a0e2ce04e946cbe389e3c1e396a9e9fb7560fa3afacc52bc50cdb5", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "API_KEY = '<redacted>'", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC002", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|api_key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/constants/on-ramp.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 114454, "scanner": "repobility-threat-engine", "fingerprint": "d865ee9d5dd25efcff88dbd2ef1177a7fee48d6acd71c8b5d202824f633e559c", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(TRANSACTION_SHIELD_LINK, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|215|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/shield-entry-modal/shield-entry-modal.tsx"}, "region": {"startLine": 215}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 114453, "scanner": "repobility-threat-engine", "fingerprint": "34dd7d976b0d551e1e9e0fef17a47425fab5822936ada93cebe9f58a5d2a0377", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(SUPPORT_URL, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|86|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/modals/multichain-accounts/intro-modal/multichain-account-intro-modal.container.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 114452, "scanner": "repobility-threat-engine", "fingerprint": "a653efb677159eb16cad5d4839c30ff966e4f79ffe3cc4e23cb3e210e0e2fccc", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(url)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|7|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/offscreen/hardware-wallets/lattice.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 114434, "scanner": "repobility-threat-engine", "fingerprint": "0082a0dc6d39e989ac1b38a3bbe24a7980ca270bc7e0d87780f1974b27b2615a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|49|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/shared/get-pr-diff.mts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 114433, "scanner": "repobility-threat-engine", "fingerprint": "c25023e39e123dd7454f5fbb17d0bfdba9bbd41e23d19358665f58e5e3acd8fe", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|67|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/known-feature-flag-constants.mts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 114432, "scanner": "repobility-threat-engine", "fingerprint": "638b3c363d8e815fb2584603b2c0dcccac6835c31e734743262677b04edf4b73", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|35|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/collect-qa-stats-metametrics.mts"}, "region": {"startLine": 35}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 114507, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 114506, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 114505, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 114504, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114498, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9e4865a7601d8d93b64b580372a5382477731a663001e7123fa46e09a72e86c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/scripts/lib/dapp-swap/dapp-swap-middleware.ts", "duplicate_line": 24, "correlation_key": "fp|a9e4865a7601d8d93b64b580372a5382477731a663001e7123fa46e09a72e86c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/lib/dapp-swap/dapp-swap-util.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114497, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65df3184e3eb33e0bd364ada862b95459bf03f051cf0f1b66b76dbbed4169dbb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/scripts/controllers/rewards/utils/bitcoin-snap.ts", "duplicate_line": 19, "correlation_key": "fp|65df3184e3eb33e0bd364ada862b95459bf03f051cf0f1b66b76dbbed4169dbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/controllers/rewards/utils/tron-snap.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114496, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c45ac7fec762bf7475e676143cb1c85bea0ed5d26703e78360f763e88d58306d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/scripts/controllers/rewards/utils/bitcoin-snap.ts", "duplicate_line": 19, "correlation_key": "fp|c45ac7fec762bf7475e676143cb1c85bea0ed5d26703e78360f763e88d58306d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/controllers/rewards/utils/solana-snap.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114495, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd902ba8bf6c427aea28ebd52ef4ba6509dc8e3924bbfd797f583b06660cb1a1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/scripts/controllers/decrypt-message.ts", "duplicate_line": 273, "correlation_key": "fp|bd902ba8bf6c427aea28ebd52ef4ba6509dc8e3924bbfd797f583b06660cb1a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/controllers/encryption-public-key.ts"}, "region": {"startLine": 268}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 114494, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0b1e3b73ef66529e599289df08317f91180d476ab938cab273e0f1fd801bb5b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".eslintrc.base.js", "duplicate_line": 105, "correlation_key": "fp|0b1e3b73ef66529e599289df08317f91180d476ab938cab273e0f1fd801bb5b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".eslintrc.js"}, "region": {"startLine": 216}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 114493, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e06fbb0296907640d638d192038f0398c83875ea9915de6fc5b2ebc89d481950", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e06fbb0296907640d638d192038f0398c83875ea9915de6fc5b2ebc89d481950"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/pages/permissions-connect/snaps/snap-update/snap-update.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 114492, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93dd8e3b5d3e252c31919733ae0fa04676a82d205ebf94b321b466e22409c026", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|93dd8e3b5d3e252c31919733ae0fa04676a82d205ebf94b321b466e22409c026"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/multichain-accounts/multichain-srp-backup/multichain-srp-backup.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 114491, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dcb0272eab934ad91b7b928891d64f83ca41e32279cf34d468ab5ed55e069fa9", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|dcb0272eab934ad91b7b928891d64f83ca41e32279cf34d468ab5ed55e069fa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/on-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 114490, "scanner": "repobility-threat-engine", "fingerprint": "5dfbf83d2dfc500610b2dc25494a0dd448ce12e6b1a8ed4002d03bc09915ad0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5dfbf83d2dfc500610b2dc25494a0dd448ce12e6b1a8ed4002d03bc09915ad0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/multichain/notification-list-item-icon/notification-list-item-icon.stories.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 114489, "scanner": "repobility-threat-engine", "fingerprint": "66cbcc2ce449ce2e373677f19e9ff537e93170c2bd2e43554b68f916bdb7498b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|66cbcc2ce449ce2e373677f19e9ff537e93170c2bd2e43554b68f916bdb7498b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/component-library/tag-url/tag-url.stories.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 114488, "scanner": "repobility-threat-engine", "fingerprint": "c7485259b708ede51d52060a94b689b7c85acdd42ec334e6938a0b87fedaf28b", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "Password = '<redacted>'", "reason": "Value looks like a development placeholder, not a live credential", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|1|password redacted", "duplicate_count": 1, "duplicate_rule_ids": ["SEC001"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["7a20c3e1ae6e4f4a812ceb312dae58c95dba1bae82865ca2f19ae032ea4e6872", "c7485259b708ede51d52060a94b689b7c85acdd42ec334e6938a0b87fedaf28b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/component-library/input/input.types.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 114487, "scanner": "repobility-threat-engine", "fingerprint": "729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|729b643e6bca2592aa4fc4944c630a8412fcea5fbfca0cb8905d71a0efec47d6", "aggregated_count": 1}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 114486, "scanner": "repobility-threat-engine", "fingerprint": "3f8038eb8b49042b3579d19b6ded5014e42e6d059394845f74c704decbc95a08", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f8038eb8b49042b3579d19b6ded5014e42e6d059394845f74c704decbc95a08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/component-library/modal-focus/modal-focus.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 114485, "scanner": "repobility-threat-engine", "fingerprint": "7257cb50f203fd3ec27982a11a163bded753ca9de68dc47a29e7da04ddc7269b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7257cb50f203fd3ec27982a11a163bded753ca9de68dc47a29e7da04ddc7269b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/srp-quiz-modal/QuizContent/QuizContent.tsx"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 114484, "scanner": "repobility-threat-engine", "fingerprint": "3084e78ed4532d7c83889517075c4e9cf0d765252075e877a242efc2dd76248d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3084e78ed4532d7c83889517075c4e9cf0d765252075e877a242efc2dd76248d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/snaps/snap-ui-renderer/utils.ts"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 114483, "scanner": "repobility-threat-engine", "fingerprint": "428f29b28a30b318f938a77458a5f4156fca980f0db803e0a5321b2b9299b39e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|428f29b28a30b318f938a77458a5f4156fca980f0db803e0a5321b2b9299b39e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/rewards/RewardsQRCode.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 114482, "scanner": "repobility-threat-engine", "fingerprint": "b3ebcd810d057240d74446c46507b22f8da5fc8b045fe6f382ee93f99704535b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b3ebcd810d057240d74446c46507b22f8da5fc8b045fe6f382ee93f99704535b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/perps/perps-positions-orders/perps-positions-orders.tsx"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 114481, "scanner": "repobility-threat-engine", "fingerprint": "84775f80679688e4329fa0fa36dbe812e350e8cd21e5a92eac0410ead058019a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|84775f80679688e4329fa0fa36dbe812e350e8cd21e5a92eac0410ead058019a", "aggregated_count": 13}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 114480, "scanner": "repobility-threat-engine", "fingerprint": "6e2d21ec21a3688310e4f2825e887b96c687db2bea13f5620faa21588aa67261", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6e2d21ec21a3688310e4f2825e887b96c687db2bea13f5620faa21588aa67261"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/perps/perps-skeletons/perps-detail-page-skeleton.tsx"}, "region": {"startLine": 112}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 114479, "scanner": "repobility-threat-engine", "fingerprint": "c7fa5b7bd2250ec0ffacc8e810cde886abf46733726d88826b3520e831f4fd49", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c7fa5b7bd2250ec0ffacc8e810cde886abf46733726d88826b3520e831f4fd49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/perps/perps-market-recent-activity/perps-market-recent-activity.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 114478, "scanner": "repobility-threat-engine", "fingerprint": "2b8a255311c0863037a43076ce06ca4b146a7d763ab3f8ab7e55b393b3ee1741", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b8a255311c0863037a43076ce06ca4b146a7d763ab3f8ab7e55b393b3ee1741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/flask/experimental-area/experimental-area.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED088", "level": "none", "message": {"text": "[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks."}, "properties": {"repobilityId": 114477, "scanner": "repobility-threat-engine", "fingerprint": "218f31ce992b91716f3d5586ef27d70d3b40df906010063ab1c84de393f87e51", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-conditional-hook", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348143+00:00", "triaged_in_corpus": 20, "observations_count": 600, "ai_coder_pattern_id": 139}, "scanner": "repobility-threat-engine", "correlation_key": "fp|218f31ce992b91716f3d5586ef27d70d3b40df906010063ab1c84de393f87e51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/currency-input/hooks/useTokenExchangeRate.tsx"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 114476, "scanner": "repobility-threat-engine", "fingerprint": "c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 114472, "scanner": "repobility-threat-engine", "fingerprint": "7e0462b2c490fe7eba2ea956ff4861c11cad64832b524a58229f9622bd816096", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.warn('[MUSD] Failed to add mUSD token to token list:', err)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|console.warn musd failed to add musd token to token list: err"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/musd/utils/ensure-musd-token-imported.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 114471, "scanner": "repobility-threat-engine", "fingerprint": "172db703efa5791572e1026f1aec7b947797f08e10c6755effdd8f0d0e1958da", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('getAvatarTokenSrc - failed to get avatar token src', error)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|console.error getavatartokensrc - failed to get avatar token src error"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/assets/asset-list/cells/asset-cell-badge.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 114470, "scanner": "repobility-threat-engine", "fingerprint": "354adea967f770770c0cc79ded0c4988ea656a7e24209599abb0bcbc2f57c289", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error(`\ud83e\udd8a Running ${config.mode} build\u2026`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|2|console.error running config.mode build"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "development/webpack/build.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 114468, "scanner": "repobility-threat-engine", "fingerprint": "b7c14669017ac17f4db12a528258a3816694f17f5dd761479089aa28c6c6fa10", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b7c14669017ac17f4db12a528258a3816694f17f5dd761479089aa28c6c6fa10"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 114464, "scanner": "repobility-threat-engine", "fingerprint": "76f26604356cfa8a7b4c5c36b948f4610c344a0c6cf38298a5f155dca43f2ec9", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|27|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/services/oauth/web-authenticator-factory.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 114463, "scanner": "repobility-threat-engine", "fingerprint": "4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 114459, "scanner": "repobility-threat-engine", "fingerprint": "cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|cd6259dea271f22c4a92cec5e1f348d2448cee14ffb575003568ca86cf3cd1df", "aggregated_count": 9}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 114458, "scanner": "repobility-threat-engine", "fingerprint": "48c6d5d8581577125e9cf3c0f2f8d21c41d9e142d56dd7b33600869013875ad0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|48c6d5d8581577125e9cf3c0f2f8d21c41d9e142d56dd7b33600869013875ad0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/components/app/modals/pna25-modal/pna25-modal.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 114457, "scanner": "repobility-threat-engine", "fingerprint": "f620b242cdf45d02a00c1d26738bc6ab523446795b1474e86c8027c7b807725b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f620b242cdf45d02a00c1d26738bc6ab523446795b1474e86c8027c7b807725b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "development/circular-deps.ts"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 114456, "scanner": "repobility-threat-engine", "fingerprint": "ea1d48309552da32fe60cc1fed89105b8da740e94e5da1a69667a77e746735ff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea1d48309552da32fe60cc1fed89105b8da740e94e5da1a69667a77e746735ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/controllers/institutional-snap/InstitutionalSnapController.ts"}, "region": {"startLine": 123}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 114451, "scanner": "repobility-threat-engine", "fingerprint": "4b4fcb39860c0c890bc1527b18eb2c3dccb82650867bb6ef48dd72d2b2520354", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.node' detected on same line", "evidence": {"match": "require(n", "reason": "Safe pattern '\\.node' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|4b4fcb39860c0c890bc1527b18eb2c3dccb82650867bb6ef48dd72d2b2520354"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".yarn/plugins/@yarnpkg/plugin-engines.cjs"}, "region": {"startLine": 6}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 47 more): Same pattern found in 47 additional files. Review if needed."}, "properties": {"repobilityId": 114449, "scanner": "repobility-threat-engine", "fingerprint": "1604fc2a6059fbcd43640017b006592aa0b1ba1c8f27ee1e39cbd3d6671ebeeb", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 47 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1604fc2a6059fbcd43640017b006592aa0b1ba1c8f27ee1e39cbd3d6671ebeeb"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 114439, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 114435, "scanner": "repobility-threat-engine", "fingerprint": "f50747163d70dab1fa2519c9a96d374fa64771763e354f97facd6a46500faf29", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f50747163d70dab1fa2519c9a96d374fa64771763e354f97facd6a46500faf29"}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 114428, "scanner": "repobility-threat-engine", "fingerprint": "68351c44b169cdd64f82fd65088228c77c27ac578d4c722c65f720b4cc0d6630", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|68351c44b169cdd64f82fd65088228c77c27ac578d4c722c65f720b4cc0d6630", "aggregated_count": 9}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 114427, "scanner": "repobility-threat-engine", "fingerprint": "d8224351b9c6d50862622ebf0935e98c3c7cae15353544348020ad52165cbfdb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d8224351b9c6d50862622ebf0935e98c3c7cae15353544348020ad52165cbfdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/create-e2e-test-report.mts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 114426, "scanner": "repobility-threat-engine", "fingerprint": "055963ea36b8c50a9a2fd27917ffaf5e9910dad5fc0ece9676457cf85b954b85", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|055963ea36b8c50a9a2fd27917ffaf5e9910dad5fc0ece9676457cf85b954b85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/create-bug-report-issue.mts"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 114425, "scanner": "repobility-threat-engine", "fingerprint": "6b21852b1ea0b888043059680d0b2fca84d6ad9ccd03ec50340725cd15279f53", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b21852b1ea0b888043059680d0b2fca84d6ad9ccd03ec50340725cd15279f53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/benchmark-fp-rate.mts"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed."}, "properties": {"repobilityId": 114424, "scanner": "repobility-threat-engine", "fingerprint": "87a25b5d2136cb25a9c0e8ca888d0ef9def52d4db675882cc34d89f0fea209d1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 20 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|87a25b5d2136cb25a9c0e8ca888d0ef9def52d4db675882cc34d89f0fea209d1", "aggregated_count": 20}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 114423, "scanner": "repobility-threat-engine", "fingerprint": "c21cd320fc1c37d6f2ff8710301a07e52edb576a7ca2e7f701dc2b73b3339801", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c21cd320fc1c37d6f2ff8710301a07e52edb576a7ca2e7f701dc2b73b3339801"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/post-nightly-builds.mts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 114422, "scanner": "repobility-threat-engine", "fingerprint": "58ab259890b453424baea1802322111db3bad74720750b14936f81ee3ef2a7b0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|58ab259890b453424baea1802322111db3bad74720750b14936f81ee3ef2a7b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/git-diff-default-branch.mts"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 114421, "scanner": "repobility-threat-engine", "fingerprint": "e9b4bec18ee3a6bf944b36bf4b1b65e567c53cd6c0ef30969b84d256fa372d24", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e9b4bec18ee3a6bf944b36bf4b1b65e567c53cd6c0ef30969b84d256fa372d24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/launch-firefox.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 103 more): Same pattern found in 103 additional files. Review if needed."}, "properties": {"repobilityId": 114420, "scanner": "repobility-threat-engine", "fingerprint": "6c2150cd51bc5d93f451d0ad6937ddcee261ff159932aa6ab9f44069efaf94fd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 103 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6c2150cd51bc5d93f451d0ad6937ddcee261ff159932aa6ab9f44069efaf94fd", "aggregated_count": 103}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 114419, "scanner": "repobility-threat-engine", "fingerprint": "573d91ee2ce048e25022963c38a0d04dc64ae180157b48226b238527c413abbe", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|573d91ee2ce048e25022963c38a0d04dc64ae180157b48226b238527c413abbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check-pr-has-required-labels.mts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 114418, "scanner": "repobility-threat-engine", "fingerprint": "3c6bb928c61ffcb8d3e75a764f69417ad51813ea8cc87cf5306ad2904b04fa2f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c6bb928c61ffcb8d3e75a764f69417ad51813ea8cc87cf5306ad2904b04fa2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/benchmark-fp-rate.mts"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 114417, "scanner": "repobility-threat-engine", "fingerprint": "27add83a8cc3c3f47df21c225a087f392006e6bcfc6bf246cb50afb6b2ab1b71", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27add83a8cc3c3f47df21c225a087f392006e6bcfc6bf246cb50afb6b2ab1b71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/add-release-label-to-pr-and-linked-issues.mts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114533, "scanner": "repobility-supply-chain", "fingerprint": "98ce9f2a09adbcfc7742b85e626e06bbb801629526e6536cdcc5a25063914c0f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98ce9f2a09adbcfc7742b85e626e06bbb801629526e6536cdcc5a25063914c0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v5`: `uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114532, "scanner": "repobility-supply-chain", "fingerprint": "15ace5afda51e6440da0b8c38d1e76a0c3c7486db440f89dc2eb9db81fec5370", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15ace5afda51e6440da0b8c38d1e76a0c3c7486db440f89dc2eb9db81fec5370"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v5`: `uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114531, "scanner": "repobility-supply-chain", "fingerprint": "1916fff91e4e4cdcbf4091196a5a3f398319d89240509574e299a8e42de4631b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1916fff91e4e4cdcbf4091196a5a3f398319d89240509574e299a8e42de4631b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `MetaMask/action-checkout-and-setup` pinned to mutable ref `@v3`: `uses: MetaMask/action-checkout-and-setup@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114530, "scanner": "repobility-supply-chain", "fingerprint": "eee5ff2ccaab961abc4953c668d911a426363f157778951568badde62aec12da", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eee5ff2ccaab961abc4953c668d911a426363f157778951568badde62aec12da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 149}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114529, "scanner": "repobility-supply-chain", "fingerprint": "4cc5bc5a343e8c4b4c108456ceadfafc63462d3b1cf85c12de03ab46a9890062", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4cc5bc5a343e8c4b4c108456ceadfafc63462d3b1cf85c12de03ab46a9890062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v5`: `uses: actions/cache/save@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114528, "scanner": "repobility-supply-chain", "fingerprint": "175ee10fe290ffd71155d693b60323e35cfaf7573887839eb225fb438f6728c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|175ee10fe290ffd71155d693b60323e35cfaf7573887839eb225fb438f6728c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 131}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `MetaMask/action-checkout-and-setup` pinned to mutable ref `@v3`: `uses: MetaMask/action-checkout-and-setup@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114527, "scanner": "repobility-supply-chain", "fingerprint": "61577761280fb898ea25a20a4c00939f1f31adbd5dde260aa31f0ae7ca697040", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|61577761280fb898ea25a20a4c00939f1f31adbd5dde260aa31f0ae7ca697040"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114526, "scanner": "repobility-supply-chain", "fingerprint": "6b3841c4dcb3aa0c2cf62cb95b85131513307232ff6813ba70bcc07647ede51e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b3841c4dcb3aa0c2cf62cb95b85131513307232ff6813ba70bcc07647ede51e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114525, "scanner": "repobility-supply-chain", "fingerprint": "cae0bf3f5011d566bb052faca9dc5f2538cf515fcd92188573cf3b257f2a3115", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cae0bf3f5011d566bb052faca9dc5f2538cf515fcd92188573cf3b257f2a3115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114524, "scanner": "repobility-supply-chain", "fingerprint": "480e9eb7ca87d6971497f7235b94f4f27956afd53dd97ccd289f88b963ab0984", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|480e9eb7ca87d6971497f7235b94f4f27956afd53dd97ccd289f88b963ab0984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update-e2e-fixtures.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114523, "scanner": "repobility-supply-chain", "fingerprint": "85edd8f345741a91d0a1a7b63c8459c5adb0294783272db8722c758526465a0a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85edd8f345741a91d0a1a7b63c8459c5adb0294783272db8722c758526465a0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/crowdin-download-translations.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114522, "scanner": "repobility-supply-chain", "fingerprint": "7ed658c8d4a318b8360f30d2484c5aa37cf1d81c8f9e24d6b89aa133cc01f52c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ed658c8d4a318b8360f30d2484c5aa37cf1d81c8f9e24d6b89aa133cc01f52c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 311}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114521, "scanner": "repobility-supply-chain", "fingerprint": "04ff034f2424bff603f478a2da7c94607d878b626b208071382e1974f1c7e1e7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04ff034f2424bff603f478a2da7c94607d878b626b208071382e1974f1c7e1e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114520, "scanner": "repobility-supply-chain", "fingerprint": "95b100115a11a2a4f0f3ef96fe8b2e828158d45dfc03b81c37b943baba74afb5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|95b100115a11a2a4f0f3ef96fe8b2e828158d45dfc03b81c37b943baba74afb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 245}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114519, "scanner": "repobility-supply-chain", "fingerprint": "6b0b3ab52302f6389745009d125fe4a94e178ef1a190cda09b1654575e9670ec", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b0b3ab52302f6389745009d125fe4a94e178ef1a190cda09b1654575e9670ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 235}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114518, "scanner": "repobility-supply-chain", "fingerprint": "6149140bed0c4bf23412e0a6d7b2e2cfda0f3c718aa9e06970f33b9a0634b315", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6149140bed0c4bf23412e0a6d7b2e2cfda0f3c718aa9e06970f33b9a0634b315"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114517, "scanner": "repobility-supply-chain", "fingerprint": "01dc58d3557d6d2d03e2f7fb530d464e268f375d98bdd288d4b9edddda59f31d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01dc58d3557d6d2d03e2f7fb530d464e268f375d98bdd288d4b9edddda59f31d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `MetaMask/github-tools/.github/actions/upload-s3` pinned to mutable ref `@v1`: `uses: MetaMask/github-tools/.github/actions/upload-s3@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114516, "scanner": "repobility-supply-chain", "fingerprint": "6220b9d0d56723e8c054e75dd60f9bbed5c0635a70ecea1b4eed8c4b27543a5a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6220b9d0d56723e8c054e75dd60f9bbed5c0635a70ecea1b4eed8c4b27543a5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114515, "scanner": "repobility-supply-chain", "fingerprint": "b799a18b64b7c109de768a99da2412c48e2e152737b4ae11519b18a88838ac3a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b799a18b64b7c109de768a99da2412c48e2e152737b4ae11519b18a88838ac3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `MetaMask/action-checkout-and-setup` pinned to mutable ref `@v3`: `uses: MetaMask/action-checkout-and-setup@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114514, "scanner": "repobility-supply-chain", "fingerprint": "0f064c35206146212b536cbe3e44a588fe8e2b07a5b39d86355ac0436820e8f1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f064c35206146212b536cbe3e44a588fe8e2b07a5b39d86355ac0436820e8f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114513, "scanner": "repobility-supply-chain", "fingerprint": "84ce9814d94a9f4657361abe5f525d54dac36b17ac42c7c4f9592bbd2a262f47", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84ce9814d94a9f4657361abe5f525d54dac36b17ac42c7c4f9592bbd2a262f47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `MetaMask/github-tools/.github/actions/upload-s3` pinned to mutable ref `@v1`: `uses: MetaMask/github-tools/.github/actions/upload-s3@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114512, "scanner": "repobility-supply-chain", "fingerprint": "0a942975eaca44867c664e3d61fae906b83d71d8e6d088980cc0d3a9e190a158", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a942975eaca44867c664e3d61fae906b83d71d8e6d088980cc0d3a9e190a158"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114511, "scanner": "repobility-supply-chain", "fingerprint": "8e26f916429e7bc910c5f3051daf3f67a20a90dcc323b014a4ad1d0f99f5771e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e26f916429e7bc910c5f3051daf3f67a20a90dcc323b014a4ad1d0f99f5771e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v5`: `uses: actions/cache/restore@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114510, "scanner": "repobility-supply-chain", "fingerprint": "5ef019e927a6657669848d54229ac0c68b900355832d63ff16dc5b202e17363a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ef019e927a6657669848d54229ac0c68b900355832d63ff16dc5b202e17363a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `MetaMask/action-checkout-and-setup` pinned to mutable ref `@v3`: `uses: MetaMask/action-checkout-and-setup@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 114509, "scanner": "repobility-supply-chain", "fingerprint": "70d6faa1927d0b0e7f16a5e7711345ce86aed68c27e1df62728b582e3aa685a1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|70d6faa1927d0b0e7f16a5e7711345ce86aed68c27e1df62728b582e3aa685a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/run-benchmarks.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 114503, "scanner": "repobility-journey-contract", "fingerprint": "4b15ac3439adb3eb99414e23983e6433a2c00e53e9ce4ed3781fbda74b9eead6", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|ui/selectors/selectors.js|2328|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ui/selectors/selectors.js"}, "region": {"startLine": 2328}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 114469, "scanner": "repobility-threat-engine", "fingerprint": "6faa4583e6e147781756620acc19894991a57852f805b118e06cfd2078ecbf96", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(String", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6faa4583e6e147781756620acc19894991a57852f805b118e06cfd2078ecbf96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "development/metamaskbot-build-announce/test-plan.ts"}, "region": {"startLine": 163}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 114467, "scanner": "repobility-threat-engine", "fingerprint": "0f01ca1b5148ec307f2c04a2ed43f59c954545751fc7c0e11879242361f72689", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n          (part) =>\n            `${part}: ${getHumanReadableSize(diffs[part])} (${getPercentage", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0f01ca1b5148ec307f2c04a2ed43f59c954545751fc7c0e11879242361f72689"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "development/metamaskbot-build-announce/bundle-size.ts"}, "region": {"startLine": 126}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 114466, "scanner": "repobility-threat-engine", "fingerprint": "fdd3af64e570bd4eb02186a9c29541484629fe0cb4029da53d34a37b07802bb3", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n            ([platform, url]) => `<a href=\"${url}\">${platform}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fdd3af64e570bd4eb02186a9c29541484629fe0cb4029da53d34a37b07802bb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "development/metamaskbot-build-announce/artifacts.ts"}, "region": {"startLine": 193}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 114465, "scanner": "repobility-threat-engine", "fingerprint": "5dfd8016e59081ee436a26797669afcbe520d640e65f821f5af6d7a95e2d0b26", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((block) => `diff --git ${block}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5dfd8016e59081ee436a26797669afcbe520d640e65f821f5af6d7a95e2d0b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "development/fitness-functions/common/shared.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 114462, "scanner": "repobility-threat-engine", "fingerprint": "d4950fd4936931f6227a7a444404590317892119537f5c8eb112915548d7eea9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cookieHandlerMux.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d4950fd4936931f6227a7a444404590317892119537f5c8eb112915548d7eea9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/streams/cookie-handler-stream.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 114461, "scanner": "repobility-threat-engine", "fingerprint": "b39fb67d573a3da3328176057ebb611eb4f240f2406562e3038aec853e86f0b9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "browser.tabs.create({ url });", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b39fb67d573a3da3328176057ebb611eb4f240f2406562e3038aec853e86f0b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/platforms/extension.js"}, "region": {"startLine": 244}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 114460, "scanner": "repobility-threat-engine", "fingerprint": "00d54d30ddeecc927aa1bcd0214bdc59b60ad96ce540a38d0370a4c4f90dde3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "newKeys.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|00d54d30ddeecc927aa1bcd0214bdc59b60ad96ce540a38d0370a4c4f90dde3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/controllers/permissions/differs.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 114448, "scanner": "repobility-threat-engine", "fingerprint": "e60f8aa859e20af736f38474eb20e59796998e08c9a0ee86453c55688a9ea420", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e60f8aa859e20af736f38474eb20e59796998e08c9a0ee86453c55688a9ea420"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/scripts/constants/marketing-site-whitelist.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 114447, "scanner": "repobility-threat-engine", "fingerprint": "2e1ae93035a01a049a201cab56d0c6c1fde11daeeaf87617a4885c52922ac301", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2e1ae93035a01a049a201cab56d0c6c1fde11daeeaf87617a4885c52922ac301"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/post-nightly-builds.mts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 114446, "scanner": "repobility-threat-engine", "fingerprint": "7bb6331dcb303021af29aa340a6b59a39178dad840944423a05a655198bf271c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7bb6331dcb303021af29aa340a6b59a39178dad840944423a05a655198bf271c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/create-e2e-test-report.mts"}, "region": {"startLine": 234}}}]}, {"ruleId": "SEC026", "level": "error", "message": {"text": "[SEC026] XML External Entity (XXE) \u2014 Ruby Nokogiri default: Ruby XML parsers (Nokogiri, REXML, libxml-ruby) expand external entities by default. REXML in particular has historical billion-laughs vulnerabilities."}, "properties": {"repobilityId": 114445, "scanner": "repobility-threat-engine", "fingerprint": "adabd4a0fb0c85cdfebbfb8822091a4e4d6363880ee8dabe97df907936bebd6d", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "XML.parse(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC026", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|adabd4a0fb0c85cdfebbfb8822091a4e4d6363880ee8dabe97df907936bebd6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/merge-test-results.mts"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC026", "level": "error", "message": {"text": "[SEC026] XML External Entity (XXE) \u2014 Ruby Nokogiri default: Ruby XML parsers (Nokogiri, REXML, libxml-ruby) expand external entities by default. REXML in particular has historical billion-laughs vulnerabilities."}, "properties": {"repobilityId": 114444, "scanner": "repobility-threat-engine", "fingerprint": "ed971c30eb81bbd977ae558b0abe7bbbde509ff03c34d7bae243f67496ea6996", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "XML.parse(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC026", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ed971c30eb81bbd977ae558b0abe7bbbde509ff03c34d7bae243f67496ea6996"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/extract-test-results.mts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC026", "level": "error", "message": {"text": "[SEC026] XML External Entity (XXE) \u2014 Ruby Nokogiri default: Ruby XML parsers (Nokogiri, REXML, libxml-ruby) expand external entities by default. REXML in particular has historical billion-laughs vulnerabilities."}, "properties": {"repobilityId": 114443, "scanner": "repobility-threat-engine", "fingerprint": "944f986429f6d0a65036559e8cf3723b77685ae8a781eea3366b59433aa05701", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "XML.parse(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC026", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|944f986429f6d0a65036559e8cf3723b77685ae8a781eea3366b59433aa05701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/create-e2e-test-report.mts"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 114442, "scanner": "repobility-threat-engine", "fingerprint": "b16c5c577446b774d208ca404b26de8734aba5e80f05d691bea172824b596595", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b16c5c577446b774d208ca404b26de8734aba5e80f05d691bea172824b596595"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/shared/get-pr-diff.mts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 114441, "scanner": "repobility-threat-engine", "fingerprint": "3ea9d75edfff5780341d28d684fe8ca9f412d126a29dfb4ab6606b57961525c7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ea9d75edfff5780341d28d684fe8ca9f412d126a29dfb4ab6606b57961525c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/known-feature-flag-constants.mts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED010", "level": "error", "message": {"text": "[MINED010] Ruby System Call: system / backtick run shell. Command injection if any arg dynamic."}, "properties": {"repobilityId": 114440, "scanner": "repobility-threat-engine", "fingerprint": "b9c17c50bf9dd33d01d500e56aff72a0e209a680b8a790fc184be78eff49a922", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347921+00:00", "triaged_in_corpus": 15, "observations_count": 189513, "ai_coder_pattern_id": 162}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b9c17c50bf9dd33d01d500e56aff72a0e209a680b8a790fc184be78eff49a922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/collect-qa-stats-metametrics.mts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 114438, "scanner": "repobility-threat-engine", "fingerprint": "f51d30da93238d20129c5b876424b092181af1b236b3ae0e2e8dd83e4a662d93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(line", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f51d30da93238d20129c5b876424b092181af1b236b3ae0e2e8dd83e4a662d93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/shared/get-pr-diff.mts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 114437, "scanner": "repobility-threat-engine", "fingerprint": "4864065cb7a8ac3a2a87b15193b688cb16b8a44e52db409166c59fb837dec5a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4864065cb7a8ac3a2a87b15193b688cb16b8a44e52db409166c59fb837dec5a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/known-feature-flag-constants.mts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 114436, "scanner": "repobility-threat-engine", "fingerprint": "1bbe7b76bd063ebb117212e61e59ae2cc55c83c0f6aa254f76e1e2d67ac8b763", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(source", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1bbe7b76bd063ebb117212e61e59ae2cc55c83c0f6aa254f76e1e2d67ac8b763"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/collect-qa-stats-metametrics.mts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 114431, "scanner": "repobility-threat-engine", "fingerprint": "bfe17cb2d14421e6e0fdf34e0642720f1b8d3ba01ecbba518fe52e7d62993fb0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bfe17cb2d14421e6e0fdf34e0642720f1b8d3ba01ecbba518fe52e7d62993fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/bundle.sh"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.RELEASE_LABEL_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_LABEL_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114550, "scanner": "repobility-supply-chain", "fingerprint": "07625e934aedeb072cd11fd42a054cf9d53bdf870cc2ee490a10c0b68529970e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07625e934aedeb072cd11fd42a054cf9d53bdf870cc2ee490a10c0b68529970e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/add-release-label.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AI_ANALYZER_LITELLM_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AI_ANALYZER_LITELLM_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114549, "scanner": "repobility-supply-chain", "fingerprint": "c41d06b72fecd71b9b4609cad4ecc69773997d5ee5eae6dca9307f780ad8999a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c41d06b72fecd71b9b4609cad4ecc69773997d5ee5eae6dca9307f780ad8999a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ai-pr-risk-analysis.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AI_ANALYZER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AI_ANALYZER_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114548, "scanner": "repobility-supply-chain", "fingerprint": "659d1f3de53acb1f3e9880ff9e56e7d5a53cd2d66870c89952dfc3be6310521c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|659d1f3de53acb1f3e9880ff9e56e7d5a53cd2d66870c89952dfc3be6310521c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ai-pr-risk-analysis.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.METAMASK_REGRESSION_TRIGGER_TEST` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.METAMASK_REGRESSION_TRIGGER_TEST }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114547, "scanner": "repobility-supply-chain", "fingerprint": "f2457e1b6c4899a4f771c73756cc00e4885f36ed6d72532b6f2bbb0da1afe9f8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2457e1b6c4899a4f771c73756cc00e4885f36ed6d72532b6f2bbb0da1afe9f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 651}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.E2E_GEMINI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.E2E_GEMINI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114546, "scanner": "repobility-supply-chain", "fingerprint": "5f2a3fe4ddd9b1cd8f6831ebd4118258349e8d2102a707ec4e96153daf40e962", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f2a3fe4ddd9b1cd8f6831ebd4118258349e8d2102a707ec4e96153daf40e962"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 623}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.E2E_CLAUDE_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.E2E_CLAUDE_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114545, "scanner": "repobility-supply-chain", "fingerprint": "b4054753f304c7b0cd353861ab8eba97481d55d316f471c84cdaf66b0fecdd30", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4054753f304c7b0cd353861ab8eba97481d55d316f471c84cdaf66b0fecdd30"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 622}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.E2E_OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.E2E_OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114544, "scanner": "repobility-supply-chain", "fingerprint": "8fee8f5719b1baf8cbe0963dad85653561300ff4b7adc0af94fac654375e23d5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fee8f5719b1baf8cbe0963dad85653561300ff4b7adc0af94fac654375e23d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 621}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PR_COMMENT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PR_COMMENT_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114543, "scanner": "repobility-supply-chain", "fingerprint": "31dae077bd82c1bfc1236dd133b7625261f4d80591d68a13ae4d7b914d1f481a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31dae077bd82c1bfc1236dd133b7625261f4d80591d68a13ae4d7b914d1f481a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 620}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TS_MIGRATION_DASHBOARD_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TS_MIGRATION_DASHBOARD_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114542, "scanner": "repobility-supply-chain", "fingerprint": "d1f63a342ed0039bd57ee64f9b7d36951dbb79eb3af8faf6f3868cf6d4b7bb58", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1f63a342ed0039bd57ee64f9b7d36951dbb79eb3af8faf6f3868cf6d4b7bb58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 550}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.INFURA_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.INFURA_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114541, "scanner": "repobility-supply-chain", "fingerprint": "2abec69faca0565f5d9c2cc2778f1a5e7473a24fc9bfba664c506e799911e2d2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2abec69faca0565f5d9c2cc2778f1a5e7473a24fc9bfba664c506e799911e2d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 533}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.EXTENSION_BUNDLESIZE_STATS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.EXTENSION_BUNDLESIZE_STATS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114540, "scanner": "repobility-supply-chain", "fingerprint": "3ad3471ba562017ec241760c7d5fc80be4af7f3e84dc0f2e404d6f70da3c316a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ad3471ba562017ec241760c7d5fc80be4af7f3e84dc0f2e404d6f70da3c316a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 455}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SONAR_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SONAR_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114539, "scanner": "repobility-supply-chain", "fingerprint": "21ab1fd05f9e0b87995084c27a9d7688555181c34aae864051bc1e66d0d8582d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21ab1fd05f9e0b87995084c27a9d7688555181c34aae864051bc1e66d0d8582d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 444}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUG_REPORT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUG_REPORT_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114538, "scanner": "repobility-supply-chain", "fingerprint": "209a3daa546ce1d3cdbb24f209e66651fed0fe77b0857e7c916131493d608c5c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|209a3daa546ce1d3cdbb24f209e66651fed0fe77b0857e7c916131493d608c5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/close-bug-report.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.STABLE_SYNC_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.STABLE_SYNC_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114537, "scanner": "repobility-supply-chain", "fingerprint": "b457b7585c4c1d788a183f5c7228464790333b28d4f4a9f5f1d85b0c1a863bc0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b457b7585c4c1d788a183f5c7228464790333b28d4f4a9f5f1d85b0c1a863bc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-branch-sync.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPSEC_BOT_SLACK_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPSEC_BOT_SLACK_WEBHOOK }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114536, "scanner": "repobility-supply-chain", "fingerprint": "dc7d2678ff041af95d887be9504356a2bbe519687c328987f2e7cd23c79a4be0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc7d2678ff041af95d887be9504356a2bbe519687c328987f2e7cd23c79a4be0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-code-scanner.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SECURITY_SCAN_METRICS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SECURITY_SCAN_METRICS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114535, "scanner": "repobility-supply-chain", "fingerprint": "4ba7a0b5480dae37dc1e9b0fbd12007b18daa0d86edd9705c8303e80af164e91", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ba7a0b5480dae37dc1e9b0fbd12007b18daa0d86edd9705c8303e80af164e91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security-code-scanner.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.LAVAMOAT_UPDATE_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.LAVAMOAT_UPDATE_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 114534, "scanner": "repobility-supply-chain", "fingerprint": "e9a274dcb92cb2efd3c6b13eaa6d03d59e37878ce6af5a321629656f4dd6ba1c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9a274dcb92cb2efd3c6b13eaa6d03d59e37878ce6af5a321629656f4dd6ba1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-update-pr-targeting-release.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 114450, "scanner": "repobility-threat-engine", "fingerprint": "a21fb6c64e2294a3343f864d40a153224d956ddb21faacb69bfb96a8fe23d71a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a21fb6c64e2294a3343f864d40a153224d956ddb21faacb69bfb96a8fe23d71a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 114430, "scanner": "repobility-threat-engine", "fingerprint": "3539a1eaf9ebc58b08e49d92cd4030290d69f8ceeb6e2ef5cbb40eabe05cd902", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3539a1eaf9ebc58b08e49d92cd4030290d69f8ceeb6e2ef5cbb40eabe05cd902"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/bundle-stats-commit.sh"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 114429, "scanner": "repobility-threat-engine", "fingerprint": "e7a49c62ee591fc613332f5dd66a663ab594b3fe5ba67016c61eda4afff222a5", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e7a49c62ee591fc613332f5dd66a663ab594b3fe5ba67016c61eda4afff222a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/benchmark-stats-commit.sh"}, "region": {"startLine": 202}}}]}]}]}