{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `loopat` image uses the latest tag", "shortDescription": {"text": "Compose service `loopat` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "AGT013", "name": "Agent auto-approve or skip-permissions mode is easy to enable", "shortDescription": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "fullDescription": {"text": "Codex/agent auto-approve, YOLO, or skip-permissions modes can be useful in isolated automation, but they remove the human checkpoint before command execution, network access, and file edits."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AGT012", "name": "Agent control bridge may listen on a network interface without visible auth", "shortDescription": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "fullDescription": {"text": "Agent, MCP, sidecar, and command bridge servers often start as local helpers. Binding them to 0.0.0.0 or a default all-interface listener without an authorization guard can expose tool execution or session data to the LAN."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Public websites should publish a robots.txt file so crawlers and AI agents can discover crawl rules and sitemap locations without guessing."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-NPM", "name": "npm package `@types/react-dom` is minor version(s) behind (^19.0.0 -> 19.2.3)", "shortDescription": {"text": "npm package `@types/react-dom` is minor version(s) behind (^19.0.0 -> 19.2.3)"}, "fullDescription": {"text": "`@types/react-dom` is pinned/resolved at ^19.0.0 but the latest stable release on the npm registry is 19.2.3 (minor version(s) behind). Outdated dependencies accumulate unpatched bugs and make future security upgrades harder. This is the version-currency signal Dependabot version-update PRs raise."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "low", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0384", "name": "instant: RUSTSEC-2024-0384", "shortDescription": {"text": "instant: RUSTSEC-2024-0384"}, "fullDescription": {"text": "`instant` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v5`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v5`"}, "fullDescription": {"text": "`uses: actions/setup-node@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `oven/bun:1-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `oven/bun:1-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM oven/bun:1-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express DELETE /api/chat/channels/:id has no auth", "shortDescription": {"text": "Express DELETE /api/chat/channels/:id has no auth"}, "fullDescription": {"text": "Express route DELETE /api/chat/channels/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKC001", "name": "Compose service runs privileged", "shortDescription": {"text": "Compose service runs privileged"}, "fullDescription": {"text": "Privileged containers receive broad host kernel capabilities and can bypass container isolation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "MINED114", "name": "Admin endpoint without auth: POST /api/admin/system/pull", "shortDescription": {"text": "Admin endpoint without auth: POST /api/admin/system/pull"}, "fullDescription": {"text": "Express route on /admin path (/api/admin/system/pull) with no auth middleware."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "critical", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1138"}, "properties": {"repository": "simpx/loopat", "repoUrl": "https://github.com/simpx/loopat", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 113170, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 113169, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `loopat` image uses the latest tag"}, "properties": {"repobilityId": 113156, "scanner": "repobility-docker", "fingerprint": "3af3b3d3ec2fd9c2da08733f464f76a2562a591015c82ed58f2a6f0efd9a8328", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/simpx/loopat:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3af3b3d3ec2fd9c2da08733f464f76a2562a591015c82ed58f2a6f0efd9a8328"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 113154, "scanner": "repobility-docker", "fingerprint": "4cecc797fb50fa4bacc33cb71a80d0a5320ef9b8e38a410a164d494234c41be8", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|4cecc797fb50fa4bacc33cb71a80d0a5320ef9b8e38a410a164d494234c41be8", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 113147, "scanner": "repobility-threat-engine", "fingerprint": "b2e09147bc5025bd394cbc8bb79101e3efe862ef94b776af8870b348bb4b0bf1", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(menu.url, \"_blank\", \"noopener,noreferrer\")", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|124|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/SvgRenderer.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 113141, "scanner": "repobility-threat-engine", "fingerprint": "63a96072d43cdf2237d2caae97899f02be7a16958c773b03dae67ff9cfd56c3d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|24|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/UserMessage.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 113140, "scanner": "repobility-threat-engine", "fingerprint": "ce91ab9e21366adc6c8ece4a3572b6ca08115ae66d407fcae0050d9aa1964f5e", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|19|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/HtmlArtifactCard.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 113139, "scanner": "repobility-threat-engine", "fingerprint": "63dd8ccefca86d751f57c4169214dedce2e705fe30944b3fe53cae71fa4b5b06", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|server/src/workspace.ts|294|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/workspace.ts"}, "region": {"startLine": 294}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 113123, "scanner": "repobility-threat-engine", "fingerprint": "23b6fd5111d36e4a90a62d0ce063f1af8bd573ab4b2a54c0e24ab3c6c9f8904f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|23b6fd5111d36e4a90a62d0ce063f1af8bd573ab4b2a54c0e24ab3c6c9f8904f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/auth.ts"}, "region": {"startLine": 246}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 113122, "scanner": "repobility-threat-engine", "fingerprint": "4552d51b92eab2d635a009c778bf79c0122185fcc9dd465bfb6222083e8f1006", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4552d51b92eab2d635a009c778bf79c0122185fcc9dd465bfb6222083e8f1006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/api-tokens.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 113121, "scanner": "repobility-threat-engine", "fingerprint": "5659f8523682134a9c1b593e7bb6b2d2fe835abea3773a6e8d157fbcea9a6a4d", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5659f8523682134a9c1b593e7bb6b2d2fe835abea3773a6e8d157fbcea9a6a4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/loopat.ts"}, "region": {"startLine": 268}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 113119, "scanner": "repobility-threat-engine", "fingerprint": "cb76c044cd021b7921cd3febe7e65bbdb7d113568848db3f7592ad2a65c49a20", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.5 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: setup/install wizard (placeholder values)]", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (2.5 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: setup/install wizard (placeholder values)]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|dogfood/sync/setup.ts|3|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/sync/setup.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 113118, "scanner": "repobility-threat-engine", "fingerprint": "4dec4e563122e19a462c74f601133a467ab2ebc8d85b3a510b32dee3f82ba6d0", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.5 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: setup/install wizard (placeholder values)]", "evidence": {"match": "PASSWORD = \"<redacted>\"", "reason": "Low entropy value (2.5 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: setup/install wizard (placeholder values)]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|dogfood/setup.ts|3|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/setup.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113101, "scanner": "repobility-agent-runtime", "fingerprint": "02d02bf78e3375613f0bb6dfce5c037ea695b11e2bdda30b61c8683fd3a7f6af", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|02d02bf78e3375613f0bb6dfce5c037ea695b11e2bdda30b61c8683fd3a7f6af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/useLoopRuntime.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113100, "scanner": "repobility-agent-runtime", "fingerprint": "989368a0aa6589713586a04837c82293caeeeae9083f527aaa05dc41943957b7", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|989368a0aa6589713586a04837c82293caeeeae9083f527aaa05dc41943957b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/theme.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113099, "scanner": "repobility-agent-runtime", "fingerprint": "bc02985cc443c5efc3ff1f46ebe2fb36199ad0ac9ab85e69e00f01ac8ba4ce0a", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|bc02985cc443c5efc3ff1f46ebe2fb36199ad0ac9ab85e69e00f01ac8ba4ce0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/ContextPage.tsx"}, "region": {"startLine": 290}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113098, "scanner": "repobility-agent-runtime", "fingerprint": "2198cd98449b95477c49de2d32dbb818931f2a2194fe774e7f8547d88791d309", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|2198cd98449b95477c49de2d32dbb818931f2a2194fe774e7f8547d88791d309"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/ChatInterface.tsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113097, "scanner": "repobility-agent-runtime", "fingerprint": "81727e79b59044dfbc6468bd59d18c553e31c079be8ae5fce376d96ad9c410f2", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|81727e79b59044dfbc6468bd59d18c553e31c079be8ae5fce376d96ad9c410f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/Tree.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113096, "scanner": "repobility-agent-runtime", "fingerprint": "6ffa15af51075fb65eb881c26d729011a41317c7a39f0c1bc72590929948ca2d", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|6ffa15af51075fb65eb881c26d729011a41317c7a39f0c1bc72590929948ca2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/SetupPersonalRepoCard.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113095, "scanner": "repobility-agent-runtime", "fingerprint": "74e4072adac892a295fffabab710e27efa591458caefcfc5d54a066e6b6cdb45", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|74e4072adac892a295fffabab710e27efa591458caefcfc5d54a066e6b6cdb45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/Editor.tsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 113094, "scanner": "repobility-agent-runtime", "fingerprint": "739d64ae4e5433c30c577d18af28f3401467be61fb81983263966e288748fe6b", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|739d64ae4e5433c30c577d18af28f3401467be61fb81983263966e288748fe6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/App.tsx"}, "region": {"startLine": 360}}}]}, {"ruleId": "AGT013", "level": "warning", "message": {"text": "Agent auto-approve or skip-permissions mode is easy to enable"}, "properties": {"repobilityId": 113093, "scanner": "repobility-agent-runtime", "fingerprint": "f50b7fcf7fcfe79cec55f45bb5d8ab2bff923c264da440d83ab2ff0779da50ed", "category": "quality", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File exposes or configures a broad agent auto-approval mode without enough local guard wording.", "evidence": {"rule_id": "AGT013", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f50b7fcf7fcfe79cec55f45bb5d8ab2bff923c264da440d83ab2ff0779da50ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/podman.ts"}, "region": {"startLine": 412}}}]}, {"ruleId": "AGT012", "level": "warning", "message": {"text": "Agent control bridge may listen on a network interface without visible auth"}, "properties": {"repobilityId": 113092, "scanner": "repobility-agent-runtime", "fingerprint": "9ac36a69abc2c56379895ea120a103deb9b89ad028f778464299715e72a63748", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File combines agent-control wording with an HTTP/SSE/WebSocket listener on an all-interface host and no visible auth guard.", "evidence": {"rule_id": "AGT012", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|9ac36a69abc2c56379895ea120a103deb9b89ad028f778464299715e72a63748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/podman.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 113168, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 113167, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 113166, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 113165, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 113158, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "loopat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 113155, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 113146, "scanner": "repobility-threat-engine", "fingerprint": "2450788144069dd402cadb1841bb3d81be5995e8b0119729e633192fa3a97c84", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|82|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/MermaidBlock.tsx"}, "region": {"startLine": 82}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@types/react-dom` is minor version(s) behind (^19.0.0 -> 19.2.3)"}, "properties": {"repobilityId": 113090, "scanner": "repobility-dependency-currency", "fingerprint": "b29d2c853314d99250cab51ca4701f18af30e1b58365a419523e6b82dacaba70", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@types/react-dom", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "19.2.3", "correlation_key": "fp|b29d2c853314d99250cab51ca4701f18af30e1b58365a419523e6b82dacaba70", "current_version": "^19.0.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `tailwind-merge` is minor version(s) behind (^3.5.0 -> 3.6.0)"}, "properties": {"repobilityId": 113088, "scanner": "repobility-dependency-currency", "fingerprint": "c836ca764924a0ddf11a5349a681cc3e809774ebedf3358f65415bd23f33f607", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "tailwind-merge", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.6.0", "correlation_key": "fp|c836ca764924a0ddf11a5349a681cc3e809774ebedf3358f65415bd23f33f607", "current_version": "^3.5.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@viz-js/viz` is minor version(s) behind (^3.27.0 -> 3.28.0)"}, "properties": {"repobilityId": 113086, "scanner": "repobility-dependency-currency", "fingerprint": "00ef45a12cb62942e42ee891b733824a98020fc739bfab6c95ebcb1b20a9b0a3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@viz-js/viz", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "3.28.0", "correlation_key": "fp|00ef45a12cb62942e42ee891b733824a98020fc739bfab6c95ebcb1b20a9b0a3", "current_version": "^3.27.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "note", "message": {"text": "npm package `@codemirror/view` is minor version(s) behind (^6.42.1 -> 6.43.0)"}, "properties": {"repobilityId": 113080, "scanner": "repobility-dependency-currency", "fingerprint": "7db452764af81f60b07759ae6a7f958b962e872730a679b0fcb525714018656a", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@codemirror/view", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.43.0", "correlation_key": "fp|7db452764af81f60b07759ae6a7f958b962e872730a679b0fcb525714018656a", "current_version": "^6.42.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113051, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e67101ef19cc2be721315ea8bc549d8cedfaa81dad5a63aeef96510684fdae05", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/useChatWebSocket.ts", "duplicate_line": 67, "correlation_key": "fp|e67101ef19cc2be721315ea8bc549d8cedfaa81dad5a63aeef96510684fdae05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/useLoopStatus.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113050, "scanner": "repobility-ai-code-hygiene", "fingerprint": "551b1034485fe4011bc9ea5075f103807e31327bb5bbdd75f5763d53b1a86d2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/FloatingDm.tsx", "duplicate_line": 386, "correlation_key": "fp|551b1034485fe4011bc9ea5075f103807e31327bb5bbdd75f5763d53b1a86d2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/ChatPage.tsx"}, "region": {"startLine": 834}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113049, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0dcae8de3ec2539bccbc40cc169fbef5dab7c981ddfa809672f1a06b453d09f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/dialog/NewLoopDialog.tsx", "duplicate_line": 282, "correlation_key": "fp|0dcae8de3ec2539bccbc40cc169fbef5dab7c981ddfa809672f1a06b453d09f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/AuthPage.tsx"}, "region": {"startLine": 140}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113048, "scanner": "repobility-ai-code-hygiene", "fingerprint": "87d65ca450575191dfc9d1ab04786f51155212569fcf920f8cdfa2e9ac066bcb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/chat/GraphvizBlock.tsx", "duplicate_line": 59, "correlation_key": "fp|87d65ca450575191dfc9d1ab04786f51155212569fcf920f8cdfa2e9ac066bcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/PlantUMLBlock.tsx"}, "region": {"startLine": 63}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113047, "scanner": "repobility-ai-code-hygiene", "fingerprint": "13282b16f0bfe9c86d0997b5c74c238dba6bbc34a708b5ab3bd1c1c3c33110d0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/chat/GraphvizBlock.tsx", "duplicate_line": 59, "correlation_key": "fp|13282b16f0bfe9c86d0997b5c74c238dba6bbc34a708b5ab3bd1c1c3c33110d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/MermaidBlock.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113046, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cb75eb340bd81ed98895bbba674c94e6bfcde09621d305833108ae858b215580", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/assistant-ui/tool-fallback.tsx", "duplicate_line": 63, "correlation_key": "fp|cb75eb340bd81ed98895bbba674c94e6bfcde09621d305833108ae858b215580"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/assistant-ui/tool-group.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113045, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b15f55a25c8fce875bee04308eb63a7217a9fc4c321ad78f6ff3973f1a835bcd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/assistant-ui/reasoning.tsx", "duplicate_line": 49, "correlation_key": "fp|b15f55a25c8fce875bee04308eb63a7217a9fc4c321ad78f6ff3973f1a835bcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/assistant-ui/tool-group.tsx"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113044, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8354600b621e3fc00e810415e140bda0e4839e24bfc6c68d98c373c6e6302372", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "web/src/components/assistant-ui/reasoning.tsx", "duplicate_line": 49, "correlation_key": "fp|8354600b621e3fc00e810415e140bda0e4839e24bfc6c68d98c373c6e6302372"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/assistant-ui/tool-fallback.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113043, "scanner": "repobility-ai-code-hygiene", "fingerprint": "195653915452306fa3804ad55d67422c876a8e3c278f80611b9ba39b283b8cd1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/src/files.ts", "duplicate_line": 28, "correlation_key": "fp|195653915452306fa3804ad55d67422c876a8e3c278f80611b9ba39b283b8cd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/workspace.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113042, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da67c0578022cb8d9d50bfde16aa0813c05f640e89e27f0d6aa7e3e5356c3222", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dogfood/setup.ts", "duplicate_line": 52, "correlation_key": "fp|da67c0578022cb8d9d50bfde16aa0813c05f640e89e27f0d6aa7e3e5356c3222"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/globalSetup.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113041, "scanner": "repobility-ai-code-hygiene", "fingerprint": "119413b3f11043959dc51c165bfe83e778ae899163b058b774f695fef04d2753", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dogfood/first-run/setup.ts", "duplicate_line": 12, "correlation_key": "fp|119413b3f11043959dc51c165bfe83e778ae899163b058b774f695fef04d2753"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/sync/setup.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113040, "scanner": "repobility-ai-code-hygiene", "fingerprint": "79e67add7402a669b1f0ccae08d1732eedd6778cca250c8391490a23aabda10e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dogfood/setup.ts", "duplicate_line": 11, "correlation_key": "fp|79e67add7402a669b1f0ccae08d1732eedd6778cca250c8391490a23aabda10e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/sync/setup.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113039, "scanner": "repobility-ai-code-hygiene", "fingerprint": "86736d7e787a36b1dde472b875c4754143aa481bac5932e31dd184043015ec8a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dogfood/first-run/playwright.config.ts", "duplicate_line": 18, "correlation_key": "fp|86736d7e787a36b1dde472b875c4754143aa481bac5932e31dd184043015ec8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/sync/playwright.config.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113038, "scanner": "repobility-ai-code-hygiene", "fingerprint": "422391617822ca5e4429b6d844a2f549761f579d9bb0fb6d82c29fbf36d8ff8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dogfood/first-run/setup.ts", "duplicate_line": 12, "correlation_key": "fp|422391617822ca5e4429b6d844a2f549761f579d9bb0fb6d82c29fbf36d8ff8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/setup.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 113037, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cca28ad8623a4aefa21f15a9468b214e1ca09803ae35f5e58ed85087b1855ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "dogfood/first-run/playwright.config.ts", "duplicate_line": 18, "correlation_key": "fp|5cca28ad8623a4aefa21f15a9468b214e1ca09803ae35f5e58ed85087b1855ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/playwright.config.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 113153, "scanner": "repobility-threat-engine", "fingerprint": "e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e3388b234273f4a2e74e16f8adc875a3f1486e18f190fcdf1616eb27c8e71c32", "aggregated_count": 1}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 113152, "scanner": "repobility-threat-engine", "fingerprint": "01243613c6301e2129162ddf9843991b31135293706723996f196b91c3a6e4b7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|01243613c6301e2129162ddf9843991b31135293706723996f196b91c3a6e4b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/kanban/CardDetailDialog.tsx"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 113151, "scanner": "repobility-threat-engine", "fingerprint": "e16c20e969ad29082a3fce67bebb52ab0e8b0dc62e43caea701e89ee442fc0bf", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e16c20e969ad29082a3fce67bebb52ab0e8b0dc62e43caea701e89ee442fc0bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/UserMessage.tsx"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 113150, "scanner": "repobility-threat-engine", "fingerprint": "6670752e1a964ff7c1162458a5e5d940a5a46ced0be509e978419275c3e036bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6670752e1a964ff7c1162458a5e5d940a5a46ced0be509e978419275c3e036bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/TodoRenderer.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 113145, "scanner": "repobility-threat-engine", "fingerprint": "11647ee1c8b1e96713097599a131a737d1484bc99be7e5e2c90109081a7ab165", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|11647ee1c8b1e96713097599a131a737d1484bc99be7e5e2c90109081a7ab165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/SvgRenderer.tsx"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 113144, "scanner": "repobility-threat-engine", "fingerprint": "2da421a1cd827d131965cc2b52f45309a92c15888af912f839dd0b4b6a314c04", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2da421a1cd827d131965cc2b52f45309a92c15888af912f839dd0b4b6a314c04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/PlantUMLBlock.tsx"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 113143, "scanner": "repobility-threat-engine", "fingerprint": "de7aa1cf767ac6dbf01926c8d25ce548e024b3f74199d5b08f422b7f360f3186", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de7aa1cf767ac6dbf01926c8d25ce548e024b3f74199d5b08f422b7f360f3186"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/GraphvizBlock.tsx"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 113142, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 113138, "scanner": "repobility-threat-engine", "fingerprint": "a2462f2342130c42b2bac393b6d8e793b2374620a3c88e1933db1a350f480dec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a2462f2342130c42b2bac393b6d8e793b2374620a3c88e1933db1a350f480dec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/vite.config.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 113137, "scanner": "repobility-threat-engine", "fingerprint": "292fcb09ed4312d2be51c943c179364c1e67aafb8604fdd362181a11caf0701e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|292fcb09ed4312d2be51c943c179364c1e67aafb8604fdd362181a11caf0701e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/serve.ts"}, "region": {"startLine": 270}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 113136, "scanner": "repobility-threat-engine", "fingerprint": "9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "aggregated_count": 2}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 113135, "scanner": "repobility-threat-engine", "fingerprint": "6ca8ab5fe7b7fbe0f7a44e0d726b62df586e410e902756c013dd577e2af12682", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ca8ab5fe7b7fbe0f7a44e0d726b62df586e410e902756c013dd577e2af12682"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/AssistantMessage.tsx"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 113134, "scanner": "repobility-threat-engine", "fingerprint": "c8b1a707da603b1c6c1c0da376185b5e42851409044096e7d1a5d0af14f5c5be", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c8b1a707da603b1c6c1c0da376185b5e42851409044096e7d1a5d0af14f5c5be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/system-prompt.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 113133, "scanner": "repobility-threat-engine", "fingerprint": "efcc0c633eeb1d546e9ae54c0bfb7243683c46979bd7ebbf1bb56350d5027f1d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|efcc0c633eeb1d546e9ae54c0bfb7243683c46979bd7ebbf1bb56350d5027f1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/plugin-installer.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 113132, "scanner": "repobility-threat-engine", "fingerprint": "35bedd0240d3fc4d57f3c1f1fde9b6f248438c5e761a4848023fa16a9a5d0a46", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|35bedd0240d3fc4d57f3c1f1fde9b6f248438c5e761a4848023fa16a9a5d0a46", "aggregated_count": 10}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 113131, "scanner": "repobility-threat-engine", "fingerprint": "15915c35ecbbd738766b90c6a1ff208e3164a9349aaf5506d5a002302c3ac7dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15915c35ecbbd738766b90c6a1ff208e3164a9349aaf5506d5a002302c3ac7dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/personal-keys.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 113130, "scanner": "repobility-threat-engine", "fingerprint": "788508b81dac8a81710cc6964162a096652ad0c9860d1fda67ce25314217e3af", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|788508b81dac8a81710cc6964162a096652ad0c9860d1fda67ce25314217e3af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/host-exec.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 113129, "scanner": "repobility-threat-engine", "fingerprint": "7589f825624291c481a294dfb52cd448f5c88e02432482aea7b6a9388b559c05", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7589f825624291c481a294dfb52cd448f5c88e02432482aea7b6a9388b559c05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/github.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 113128, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 113124, "scanner": "repobility-threat-engine", "fingerprint": "79beb8c79c8fe2afad3d97b1aaa69b9e44070a54ac39178f92cc366b51132c53", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|79beb8c79c8fe2afad3d97b1aaa69b9e44070a54ac39178f92cc366b51132c53"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 113120, "scanner": "repobility-threat-engine", "fingerprint": "6db3c894b465450ed3397efd621c237e80d2360fc29b614fb9f3f84e16755abf", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`  settings.json:     ${c.settingsPath}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|scripts/loopat.ts|14|console.log settings.json: c.settingspath"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/loopat.ts"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 113117, "scanner": "repobility-threat-engine", "fingerprint": "f922f4f13d4219e470422812906b99d2e69dcf0dbe44404db6fb52eebaf73cdd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f922f4f13d4219e470422812906b99d2e69dcf0dbe44404db6fb52eebaf73cdd", "aggregated_count": 15}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 113116, "scanner": "repobility-threat-engine", "fingerprint": "b0400e75651d625e95d54040f2ffc843553cdf3ccf699840be6e1c98439b7556", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b0400e75651d625e95d54040f2ffc843553cdf3ccf699840be6e1c98439b7556"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/sync/setup.ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 113115, "scanner": "repobility-threat-engine", "fingerprint": "e72278c9a5d0a627cd5f01b6de1a947f53f4c7bec2064df62e27ba9c28d53f9c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e72278c9a5d0a627cd5f01b6de1a947f53f4c7bec2064df62e27ba9c28d53f9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/setup.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 113114, "scanner": "repobility-threat-engine", "fingerprint": "0b372059be4fa23ef43001c8e8606959edc2f1b2b082799e570e5d250f597c40", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0b372059be4fa23ef43001c8e8606959edc2f1b2b082799e570e5d250f597c40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/first-run/setup.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 113113, "scanner": "repobility-threat-engine", "fingerprint": "a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a9290e9308832db1b29e6bdd660fce33b2dfaab9a936cf53d01913e8456ee998", "aggregated_count": 4}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 113112, "scanner": "repobility-threat-engine", "fingerprint": "1b27c92f5891bb92dda9d5fc2c461b80c540b3929a027abd879e0af9e65abe7c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1b27c92f5891bb92dda9d5fc2c461b80c540b3929a027abd879e0af9e65abe7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/host-exec.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 113111, "scanner": "repobility-threat-engine", "fingerprint": "a1ca06dbe8f125b295dcce275212cbfa6686bca40075d9c51123438683df5ad7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a1ca06dbe8f125b295dcce275212cbfa6686bca40075d9c51123438683df5ad7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/sync/playwright.config.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 113110, "scanner": "repobility-threat-engine", "fingerprint": "ba45a1a1e8e77cd8168d480885874a342d15612fc3994aa5d9896626ffe93117", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ba45a1a1e8e77cd8168d480885874a342d15612fc3994aa5d9896626ffe93117"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/first-run/playwright.config.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 113109, "scanner": "repobility-threat-engine", "fingerprint": "606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|606792298c73b83412d8cf76624dd82fdf0a71ea3b779cecc6b4d4d439eccec4"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 113105, "scanner": "repobility-threat-engine", "fingerprint": "649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|649d6d6fcdf017ef6b135647f3ec984864db51b5f2d71e3a11ae83a90e69859a"}}}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@vitejs/plugin-react` is patch version(s) behind (^6.0.1 -> 6.0.2)"}, "properties": {"repobilityId": 113091, "scanner": "repobility-dependency-currency", "fingerprint": "625ca5277955f3db58d2d7a999980fdacf84c5440efe2bce86799a46b94f5648", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@vitejs/plugin-react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "6.0.2", "correlation_key": "fp|625ca5277955f3db58d2d7a999980fdacf84c5440efe2bce86799a46b94f5648", "current_version": "^6.0.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `zustand` is patch version(s) behind (^5.0.13 -> 5.0.14)"}, "properties": {"repobilityId": 113089, "scanner": "repobility-dependency-currency", "fingerprint": "b1cfbc4ecb9b8c7b5d3e4a92128f31510dca6db9c718591e9d298584bc61b4f9", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "zustand", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "5.0.14", "correlation_key": "fp|b1cfbc4ecb9b8c7b5d3e4a92128f31510dca6db9c718591e9d298584bc61b4f9", "current_version": "^5.0.13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `react-resizable-panels` is patch version(s) behind (^4.11.1 -> 4.11.2)"}, "properties": {"repobilityId": 113087, "scanner": "repobility-dependency-currency", "fingerprint": "0bbd7a629f99f6762d7045dc2650f9fc82740a52a8e3596a557b65481e174075", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "react-resizable-panels", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "4.11.2", "correlation_key": "fp|0bbd7a629f99f6762d7045dc2650f9fc82740a52a8e3596a557b65481e174075", "current_version": "^4.11.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@milkdown/react` is patch version(s) behind (^7.21.1 -> 7.21.2)"}, "properties": {"repobilityId": 113085, "scanner": "repobility-dependency-currency", "fingerprint": "32119f64e7a76cb95f764a1084715345e5c185949cedc6e2ce572c9d0df1dc2f", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@milkdown/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.21.2", "correlation_key": "fp|32119f64e7a76cb95f764a1084715345e5c185949cedc6e2ce572c9d0df1dc2f", "current_version": "^7.21.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@milkdown/preset-gfm` is patch version(s) behind (^7.21.1 -> 7.21.2)"}, "properties": {"repobilityId": 113084, "scanner": "repobility-dependency-currency", "fingerprint": "f7eaac1c22098833407ec7e356a7d8c2b4166e74c812c071fde15fc51101f954", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@milkdown/preset-gfm", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.21.2", "correlation_key": "fp|f7eaac1c22098833407ec7e356a7d8c2b4166e74c812c071fde15fc51101f954", "current_version": "^7.21.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@milkdown/preset-commonmark` is patch version(s) behind (^7.21.1 -> 7.21.2)"}, "properties": {"repobilityId": 113083, "scanner": "repobility-dependency-currency", "fingerprint": "8fce1dba6f11462ca642f08c53d1d7d93673fda2b0e3d3eb1c9883c64cc3cc8d", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@milkdown/preset-commonmark", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.21.2", "correlation_key": "fp|8fce1dba6f11462ca642f08c53d1d7d93673fda2b0e3d3eb1c9883c64cc3cc8d", "current_version": "^7.21.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@milkdown/plugin-listener` is patch version(s) behind (^7.21.1 -> 7.21.2)"}, "properties": {"repobilityId": 113082, "scanner": "repobility-dependency-currency", "fingerprint": "d86ed68870125cc025507b730ae599577cd7ff56811f6445bda5ee50118eb430", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@milkdown/plugin-listener", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.21.2", "correlation_key": "fp|d86ed68870125cc025507b730ae599577cd7ff56811f6445bda5ee50118eb430", "current_version": "^7.21.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@milkdown/core` is patch version(s) behind (^7.21.1 -> 7.21.2)"}, "properties": {"repobilityId": 113081, "scanner": "repobility-dependency-currency", "fingerprint": "34a6a39eafd9d5372d7e4f84a212e715c18d502563cd285690c9579e5404a195", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@milkdown/core", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "7.21.2", "correlation_key": "fp|34a6a39eafd9d5372d7e4f84a212e715c18d502563cd285690c9579e5404a195", "current_version": "^7.21.1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@assistant-ui/react-markdown` is patch version(s) behind (^0.14.0 -> 0.14.1)"}, "properties": {"repobilityId": 113079, "scanner": "repobility-dependency-currency", "fingerprint": "1fd6290c17ea61d6487e02642557c5a12274093458c3a08b5bd709068b1227d9", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@assistant-ui/react-markdown", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.14.1", "correlation_key": "fp|1fd6290c17ea61d6487e02642557c5a12274093458c3a08b5bd709068b1227d9", "current_version": "^0.14.0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@assistant-ui/react` is patch version(s) behind (^0.14.5 -> 0.14.14)"}, "properties": {"repobilityId": 113078, "scanner": "repobility-dependency-currency", "fingerprint": "4a1796dfd3099006975edf4bb47aeecfddf2aefbee893ef387325c6848bb8dda", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@assistant-ui/react", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.14.14", "correlation_key": "fp|4a1796dfd3099006975edf4bb47aeecfddf2aefbee893ef387325c6848bb8dda", "current_version": "^0.14.5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@scalar/hono-api-reference` is patch version(s) behind (^0.10.19 -> 0.10.20)"}, "properties": {"repobilityId": 113077, "scanner": "repobility-dependency-currency", "fingerprint": "4b6e85fa54b4f0948bf7f80fe7fa760cc688f5d6e1c33ce8d17c90e9355c274a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@scalar/hono-api-reference", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.10.20", "correlation_key": "fp|4b6e85fa54b4f0948bf7f80fe7fa760cc688f5d6e1c33ce8d17c90e9355c274a", "current_version": "^0.10.19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@anthropic-ai/sandbox-runtime` is patch version(s) behind (^0.0.52 -> 0.0.54)"}, "properties": {"repobilityId": 113076, "scanner": "repobility-dependency-currency", "fingerprint": "1e02a67d02286e5890633da1afcbb5be5e687a002ab9e4a4a92c4e0480dca7b0", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@anthropic-ai/sandbox-runtime", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.0.54", "correlation_key": "fp|1e02a67d02286e5890633da1afcbb5be5e687a002ab9e4a4a92c4e0480dca7b0", "current_version": "^0.0.52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@anthropic-ai/claude-agent-sdk` is patch version(s) behind (^0.3.150 -> 0.3.165)"}, "properties": {"repobilityId": 113075, "scanner": "repobility-dependency-currency", "fingerprint": "dd998846619a2671007cea3febc282770c109c26acb6a9b7ad759106d304941a", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@anthropic-ai/claude-agent-sdk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.3.165", "correlation_key": "fp|dd998846619a2671007cea3febc282770c109c26acb6a9b7ad759106d304941a", "current_version": "^0.3.150"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@scalar/hono-api-reference` is patch version(s) behind (^0.10.19 -> 0.10.20)"}, "properties": {"repobilityId": 113074, "scanner": "repobility-dependency-currency", "fingerprint": "c2f1c54df16613d8086690078f475340d9af21588df3df0ec6cca2645a148244", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@scalar/hono-api-reference", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.10.20", "correlation_key": "fp|c2f1c54df16613d8086690078f475340d9af21588df3df0ec6cca2645a148244", "current_version": "^0.10.19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@anthropic-ai/sandbox-runtime` is patch version(s) behind (^0.0.52 -> 0.0.54)"}, "properties": {"repobilityId": 113073, "scanner": "repobility-dependency-currency", "fingerprint": "13bf42aee54e4c73d8c8af83f7696cc02276e6580317f91ceed31ca425378213", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@anthropic-ai/sandbox-runtime", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.0.54", "correlation_key": "fp|13bf42aee54e4c73d8c8af83f7696cc02276e6580317f91ceed31ca425378213", "current_version": "^0.0.52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "DEPCUR-NPM", "level": "none", "message": {"text": "npm package `@anthropic-ai/claude-agent-sdk` is patch version(s) behind (^0.3.150 -> 0.3.165)"}, "properties": {"repobilityId": 113072, "scanner": "repobility-dependency-currency", "fingerprint": "c869b3a9316698f32fb337ce537abdffbdf6e5cdcc5748c7c8c9346e883558a1", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": [], "package": "@anthropic-ai/claude-agent-sdk", "scanner": "repobility-dependency-currency", "ecosystem": "npm", "languages": ["javascript"], "latest_version": "0.3.165", "correlation_key": "fp|c869b3a9316698f32fb337ce537abdffbdf6e5cdcc5748c7c8c9346e883558a1", "current_version": "^0.3.150"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 113164, "scanner": "repobility-journey-contract", "fingerprint": "8fe7bd9c598db0abf9ae7f735543efa0d9059726bb004446a301ce7c1facc573", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|web/src/pages/authpage.tsx|116|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/pages/AuthPage.tsx"}, "region": {"startLine": 116}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 113163, "scanner": "repobility-journey-contract", "fingerprint": "23918537ab61d0fcbf915fb608ca24bcbacf89dcdf0dce9f5ada9f3146e270a5", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1368|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/dialog/PersonalRepoPanel.tsx"}, "region": {"startLine": 1368}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 113162, "scanner": "repobility-journey-contract", "fingerprint": "09d3924de21ec5f79b9a15a4182c8c5e52e7407148ff06062d7953a458679d28", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|1150|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/dialog/PersonalRepoPanel.tsx"}, "region": {"startLine": 1150}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 113161, "scanner": "repobility-journey-contract", "fingerprint": "023a5cb575b843cc6da58a8c4097a30b96a74c2df747316b665e95e61fd52621", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|534|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/dialog/AdminDialog.tsx"}, "region": {"startLine": 534}}}]}, {"ruleId": "RUSTSEC-2024-0384", "level": "error", "message": {"text": "instant: RUSTSEC-2024-0384"}, "properties": {"repobilityId": 113160, "scanner": "osv-scanner", "fingerprint": "0dae6fd0fe9c9d331418953980b342196779775d3139249842b323b76638f9e4", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "instant", "rule_id": "RUSTSEC-2024-0384", "scanner": "osv-scanner", "correlation_key": "fp|0dae6fd0fe9c9d331418953980b342196779775d3139249842b323b76638f9e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/port-proxy-rs/Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 113149, "scanner": "repobility-threat-engine", "fingerprint": "5891fdfe6c9403e770374a549f013563665b3e7a731bb1a600ebae2474ded5be", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((t) => `#${t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5891fdfe6c9403e770374a549f013563665b3e7a731bb1a600ebae2474ded5be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/kanban/CardDetailDialog.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 113148, "scanner": "repobility-threat-engine", "fingerprint": "3f8926ae3951dc83185e42c85f536649bb36437dc612e7269a1ffad6e91accb0", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((row) => `| ${row.map(clean).join(\" | \")}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3f8926ae3951dc83185e42c85f536649bb36437dc612e7269a1ffad6e91accb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/TableWithToolbar.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 113127, "scanner": "repobility-threat-engine", "fingerprint": "bb27dba47d023d9d26cb2fe6dd4e98f15f4ba04a45740a604f2477f9c4cc6175", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "terms.delete(loopId)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb27dba47d023d9d26cb2fe6dd4e98f15f4ba04a45740a604f2477f9c4cc6175"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/term.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 113126, "scanner": "repobility-threat-engine", "fingerprint": "811a70fbc169cfb5831492c067c0a0bd79ef2b4c4cf667d5b5b82881a16e0667", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "aliasCache.delete(subdomain)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|811a70fbc169cfb5831492c067c0a0bd79ef2b4c4cf667d5b5b82881a16e0667"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/serve.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 113125, "scanner": "repobility-threat-engine", "fingerprint": "9e3753be29fc13bd8ec9ccc22eeffbea6ec3ea5fe03fe4d622ca0f3802764f80", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "sessions.delete(token)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9e3753be29fc13bd8ec9ccc22eeffbea6ec3ea5fe03fe4d622ca0f3802764f80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/auth.ts"}, "region": {"startLine": 260}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 113108, "scanner": "repobility-threat-engine", "fingerprint": "6521732bad41b8b5ccabe4cdf98c4e9aa05cf6a0d45a96d17d200421f3a2d25d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(html", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6521732bad41b8b5ccabe4cdf98c4e9aa05cf6a0d45a96d17d200421f3a2d25d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "web/src/components/chat/HtmlArtifactCard.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 113107, "scanner": "repobility-threat-engine", "fingerprint": "2a10e5f34b90a968e5918169006ba71eaa1f3adde501bb0167520bc231561faa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(body", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a10e5f34b90a968e5918169006ba71eaa1f3adde501bb0167520bc231561faa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/workspace.ts"}, "region": {"startLine": 294}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 113106, "scanner": "repobility-threat-engine", "fingerprint": "de4c9eb6625bcfaaf59772a35fefea3747883fc6179b80998d70167be716adf0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|de4c9eb6625bcfaaf59772a35fefea3747883fc6179b80998d70167be716adf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/first-run/playwright.config.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 113104, "scanner": "repobility-threat-engine", "fingerprint": "77b2581cf8cc90555c681313ede0917795d92ad21d117b06bc4cbf9c5865d58e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(j", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|77b2581cf8cc90555c681313ede0917795d92ad21d117b06bc4cbf9c5865d58e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/providers.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 113103, "scanner": "repobility-threat-engine", "fingerprint": "e12aa978db4c09771411a7a6d928bfca0e2af7b178cdfa7956b1358b989e26da", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e12aa978db4c09771411a7a6d928bfca0e2af7b178cdfa7956b1358b989e26da"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/host-exec.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 113102, "scanner": "repobility-threat-engine", "fingerprint": "fbbb6a66efb417eb97a883d92bed917f3ebc73f3b7fa18765ab141589a83001d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url (s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fbbb6a66efb417eb97a883d92bed917f3ebc73f3b7fa18765ab141589a83001d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dogfood/sync/playwright.config.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 113071, "scanner": "repobility-supply-chain", "fingerprint": "336d62e1d4f07b93fb8060a269faca2dd3fbb2f8ad20268df6ce7d80fbc1afcb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|336d62e1d4f07b93fb8060a269faca2dd3fbb2f8ad20268df6ce7d80fbc1afcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `oven-sh/setup-bun` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 113070, "scanner": "repobility-supply-chain", "fingerprint": "a382719151816a15278d4e1c4860a65295d7e3f13425914e31dbdc9b2a364f0e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a382719151816a15278d4e1c4860a65295d7e3f13425914e31dbdc9b2a364f0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 113069, "scanner": "repobility-supply-chain", "fingerprint": "2df4beba063f3bb3faa4d2b3d45ddfb35d22cb73f57a4e69212c3d5a5f719a5b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2df4beba063f3bb3faa4d2b3d45ddfb35d22cb73f57a4e69212c3d5a5f719a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 113068, "scanner": "repobility-supply-chain", "fingerprint": "f5ba1d0130db245a3d4b55a1b5aa463527883fe191dde083b3c71c7a4bc671d2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5ba1d0130db245a3d4b55a1b5aa463527883fe191dde083b3c71c7a4bc671d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sandbox-image.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 113067, "scanner": "repobility-supply-chain", "fingerprint": "767457f3a0168ef34e4befc4edb980e68963a7d5f8c626aafc58b03fc94ccb80", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|767457f3a0168ef34e4befc4edb980e68963a7d5f8c626aafc58b03fc94ccb80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `oven/bun:1-slim` not pinned by digest"}, "properties": {"repobilityId": 113066, "scanner": "repobility-supply-chain", "fingerprint": "65c896a7538db6f24f246da99ec564d5d68a11b77f9ca5d4b86182de6742b126", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65c896a7538db6f24f246da99ec564d5d68a11b77f9ca5d4b86182de6742b126"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /api/chat/channels/:id has no auth"}, "properties": {"repobilityId": 113065, "scanner": "repobility-route-auth", "fingerprint": "81e43cf42a51965d46c40c3d905880c6d31c9658dd8a4c0c8ec1c11f2eae5ea0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|81e43cf42a51965d46c40c3d905880c6d31c9658dd8a4c0c8ec1c11f2eae5ea0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 2770}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/auth/logout has no auth"}, "properties": {"repobilityId": 113055, "scanner": "repobility-route-auth", "fingerprint": "810622ab3c5e3e0801d9975e23af9ebde60b801b40fc848abfab80492a14cddb", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|810622ab3c5e3e0801d9975e23af9ebde60b801b40fc848abfab80492a14cddb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 393}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/auth/login has no auth"}, "properties": {"repobilityId": 113054, "scanner": "repobility-route-auth", "fingerprint": "47af82a086fb65d7c1399267d007d824108f08f75409a2c21f363c2f64f2ccee", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|47af82a086fb65d7c1399267d007d824108f08f75409a2c21f363c2f64f2ccee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 376}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /api/auth/register has no auth"}, "properties": {"repobilityId": 113053, "scanner": "repobility-route-auth", "fingerprint": "e0cba82c5fea2ebc1389a433ed9046c2c72bba7bbbfb9a03a10b83e8a594b98b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e0cba82c5fea2ebc1389a433ed9046c2c72bba7bbbfb9a03a10b83e8a594b98b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 343}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /api/serve/config has no auth"}, "properties": {"repobilityId": 113052, "scanner": "repobility-route-auth", "fingerprint": "de398e4a3a8166641cf28a06d316656fd1607bdfc6d61f106afb4a5bee9a51aa", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|de398e4a3a8166641cf28a06d316656fd1607bdfc6d61f106afb4a5bee9a51aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 175}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 113159, "scanner": "gitleaks", "fingerprint": "dadce4b74dff18ee481bb98fcca7a368a94ab8be66b29744e7bd100bbfb1775f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "escaping symlink: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|18|escaping symlink: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/test/multi-vault.test.ts"}, "region": {"startLine": 187}}}]}, {"ruleId": "DKC001", "level": "error", "message": {"text": "Compose service runs privileged"}, "properties": {"repobilityId": 113157, "scanner": "repobility-docker", "fingerprint": "a49818bb5909dcba6505360b36432d8ae7ae34cce0f2d401a6a3e7da9ef52ade", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "privileged: true was set on the service.", "evidence": {"rule_id": "DKC001", "scanner": "repobility-docker", "service": "loopat", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a49818bb5909dcba6505360b36432d8ae7ae34cce0f2d401a6a3e7da9ef52ade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /api/admin/system/pull"}, "properties": {"repobilityId": 113064, "scanner": "repobility-route-auth", "fingerprint": "8d2ed4f46e8a3cb6b56380b1bbfe04b0d45d26a7785b699e617415829f5fe6d2", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|8d2ed4f46e8a3cb6b56380b1bbfe04b0d45d26a7785b699e617415829f5fe6d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 602}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /api/admin/system/check"}, "properties": {"repobilityId": 113063, "scanner": "repobility-route-auth", "fingerprint": "fdead1432080d1a1e1f6e556b93033af9b9e26635ea91b6162bf2f38f049bf17", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|fdead1432080d1a1e1f6e556b93033af9b9e26635ea91b6162bf2f38f049bf17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 587}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: PUT /api/admin/presets"}, "properties": {"repobilityId": 113062, "scanner": "repobility-route-auth", "fingerprint": "e5929bce8848174534dff076c7f8a3e1ff2d021d95e6186aa55a0d8368c065c2", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|e5929bce8848174534dff076c7f8a3e1ff2d021d95e6186aa55a0d8368c065c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 504}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /api/admin/profiles/:name"}, "properties": {"repobilityId": 113061, "scanner": "repobility-route-auth", "fingerprint": "1cc9cba42271ca91fabc9bfff095bf880f564c1daf36ef01465dad4dc251f575", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|1cc9cba42271ca91fabc9bfff095bf880f564c1daf36ef01465dad4dc251f575"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 483}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: PUT /api/admin/profiles/:name"}, "properties": {"repobilityId": 113060, "scanner": "repobility-route-auth", "fingerprint": "07865b2850f3a2137f3b727009acc825ac8370e594453b2087d5bcce6872f300", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|07865b2850f3a2137f3b727009acc825ac8370e594453b2087d5bcce6872f300"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 474}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /api/admin/profiles"}, "properties": {"repobilityId": 113059, "scanner": "repobility-route-auth", "fingerprint": "3a771c6c1485da083827a0b704dd92dc40032de87a09f6567d569706bfdf196a", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|3a771c6c1485da083827a0b704dd92dc40032de87a09f6567d569706bfdf196a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 456}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: DELETE /api/admin/users/:id"}, "properties": {"repobilityId": 113058, "scanner": "repobility-route-auth", "fingerprint": "a71de462b9ebd7eadf0c9f950b45b716ddd18e4b86b620d3668e628ce26b0b7b", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|a71de462b9ebd7eadf0c9f950b45b716ddd18e4b86b620d3668e628ce26b0b7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 436}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /api/admin/users/:id/role"}, "properties": {"repobilityId": 113057, "scanner": "repobility-route-auth", "fingerprint": "36a7300886aa37e6fba3130059f0e39849b5e07e1bf9eae6d12ec58acf9ce455", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|36a7300886aa37e6fba3130059f0e39849b5e07e1bf9eae6d12ec58acf9ce455"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 422}}}]}, {"ruleId": "MINED114", "level": "error", "message": {"text": "Admin endpoint without auth: POST /api/admin/users/:id/activate"}, "properties": {"repobilityId": 113056, "scanner": "repobility-route-auth", "fingerprint": "968bf423e1eeac2167eaf24d904dfba2025b1f9a5386598b0e56d779d5398a1a", "category": "quality", "severity": "critical", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "admin-handler-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-284", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 6292}, "scanner": "repobility-route-auth", "correlation_key": "fp|968bf423e1eeac2167eaf24d904dfba2025b1f9a5386598b0e56d779d5398a1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/src/index.ts"}, "region": {"startLine": 415}}}]}]}]}