{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CORE_NO_CI", "name": "No CI/CD configuration found", "shortDescription": {"text": "No CI/CD configuration found"}, "fullDescription": {"text": "Add a CI/CD pipeline: create .github/workflows/ci.yml for GitHub Actions with steps to lint, test, and build on every push and pull request."}, "properties": {"scanner": "repobility-core", "category": "practices", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED008", "name": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let.", "shortDescription": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED038", "name": "[MINED038] Swift Try Bang: try! crashes on thrown error. Use try? or do/catch.", "shortDescription": {"text": "[MINED038] Swift Try Bang: try! crashes on thrown error. Use try? or do/catch."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1202"}, "properties": {"repository": "ihazgithub/TopOff", "repoUrl": "https://github.com/ihazgithub/TopOff", "branch": "main"}, "results": [{"ruleId": "CORE_NO_CI", "level": "warning", "message": {"text": "No CI/CD configuration found"}, "properties": {"repobilityId": 121409, "scanner": "repobility-core", "fingerprint": "ca5da3551af97272c4f099fc472740148135a15816b81b90bd862e8f91ec66ce", "category": "practices", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_CI", "scanner": "repobility-core", "correlation_key": "repo|practices|core_no_ci"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 121413, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "MINED008", "level": "error", "message": {"text": "[MINED008] Swift Force Unwrap: optional! crashes on nil. Use guard let or if let."}, "properties": {"repobilityId": 121416, "scanner": "repobility-threat-engine", "fingerprint": "a143e3ded3235b1c1d317c300c0e1143992b264313a542d5e7aff9827a030e89", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-force-unwrap", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347916+00:00", "triaged_in_corpus": 15, "observations_count": 210453, "ai_coder_pattern_id": 157}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a143e3ded3235b1c1d317c300c0e1143992b264313a542d5e7aff9827a030e89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TopOff/TopOffTests/BrewErrorClassificationTests.swift"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED038", "level": "error", "message": {"text": "[MINED038] Swift Try Bang: try! crashes on thrown error. Use try? or do/catch."}, "properties": {"repobilityId": 121415, "scanner": "repobility-threat-engine", "fingerprint": "310eec99cf7df05e10a3464142e460beea1b8af7e15432cbe22ec6ec85148174", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-try-bang", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347986+00:00", "triaged_in_corpus": 15, "observations_count": 2002, "ai_coder_pattern_id": 158}, "scanner": "repobility-threat-engine", "correlation_key": "fp|310eec99cf7df05e10a3464142e460beea1b8af7e15432cbe22ec6ec85148174"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TopOff/TopOffTests/MenuBarViewModelSkipListTests.swift"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED038", "level": "error", "message": {"text": "[MINED038] Swift Try Bang: try! crashes on thrown error. Use try? or do/catch."}, "properties": {"repobilityId": 121414, "scanner": "repobility-threat-engine", "fingerprint": "45b8d59a549c0a250b6d65c39767248c4851df7398b865021e69b9a3c86b6441", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "swift-try-bang", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["swift"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347986+00:00", "triaged_in_corpus": 15, "observations_count": 2002, "ai_coder_pattern_id": 158}, "scanner": "repobility-threat-engine", "correlation_key": "fp|45b8d59a549c0a250b6d65c39767248c4851df7398b865021e69b9a3c86b6441"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TopOff/TopOffTests/AskpassScriptTests.swift"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 121412, "scanner": "repobility-threat-engine", "fingerprint": "3e17cacd4b204f63bdd810417281775083036897517c02ae59d448f7ae77512f", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3e17cacd4b204f63bdd810417281775083036897517c02ae59d448f7ae77512f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TopOff/TopOffTests/AskpassScriptTests.swift"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 121411, "scanner": "repobility-threat-engine", "fingerprint": "4391cbc7ef9e9176e41098e9f7f4ed28f4c477ce4ccb108ea7010e8adf189477", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4391cbc7ef9e9176e41098e9f7f4ed28f4c477ce4ccb108ea7010e8adf189477"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TopOff/TopOff/NotificationManager.swift"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 121410, "scanner": "repobility-threat-engine", "fingerprint": "9665b749e6d1f997eae15bee9ba4603e0e17a7144bf7c908ee6d47f6fba2b63c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9665b749e6d1f997eae15bee9ba4603e0e17a7144bf7c908ee6d47f6fba2b63c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "TopOff/TopOff/AboutView.swift"}, "region": {"startLine": 52}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 121408, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}]}]}