{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR018", "name": "Database dump or local database file is included in Docker build context", "shortDescription": {"text": "Database dump or local database file is included in Docker build context"}, "fullDescription": {"text": "Move database dumps outside the Docker build context or exclude them with .dockerignore. Keep backup and restore artifacts in private object storage or a dedicated backup workflow."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC012", "name": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the t", "shortDescription": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "fullDescription": {"text": "Validate extracted paths with os.path.realpath() and ensure they stay within the target directory."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Add `Sitemap: https://your-domain.example/sitemap.xml` to robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `module_checksum_errors` has cognitive complexity 8 (SonarSource scale). C", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `module_checksum_errors` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and r"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 8."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED062", "name": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model.", "shortDescription": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC016", "name": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prom", "shortDescription": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input tha"}, "fullDescription": {"text": "1) Separate user content from instructions: use the 'user' role for user text and 'system' role for your instructions \u2014 never concatenate them into one string. 2) Validate and constrain: limit input length, strip control characters, and reject known injection patterns. 3) Use structured output (JSON mode / function calling) so the model returns data, not freeform actions. 4) Apply output validation: check the AI's response before acting on it. 5) Consider a prompt injection detection layer (e.g. Anthropic's constitutional AI, prompt-guard models)."}, "properties": {"scanner": "repobility-threat-engine", "category": "llm_injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 41 more): Same pattern found in 41 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 43 more): Same pattern found in 43 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 61 more): Same pattern found in 61 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 61 more): Same pattern found in 61 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 192 more): Same pattern found in 192 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 192 more): Same pattern found in 192 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images shou"}, "fullDescription": {"text": "Replace with: `FROM ubuntu:24.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `arm64v8/ubuntu:24.04` unpinned: `container/services image: arm64v8/ubuntu:", "shortDescription": {"text": "[MINED126] Workflow container/services image `arm64v8/ubuntu:24.04` unpinned: `container/services image: arm64v8/ubuntu:24.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same"}, "fullDescription": {"text": "Replace with `arm64v8/ubuntu:24.04@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `taiki-e/install-action` pinned to mutable ref `@v2`: `uses: taiki-e/install-action@v2` resolves at wo", "shortDescription": {"text": "[MINED115] Action `taiki-e/install-action` pinned to mutable ref `@v2`: `uses: taiki-e/install-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromi"}, "fullDescription": {"text": "Replace with: `uses: taiki-e/install-action@<40-char-sha>  # v2` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED106", "name": "[MINED106] Phantom test coverage: test_missing_runtime_package_requires_explicit_codex_bin: Test function `test_missing_", "shortDescription": {"text": "[MINED106] Phantom test coverage: test_missing_runtime_package_requires_explicit_codex_bin: Test function `test_missing_runtime_package_requires_explicit_codex_bin` runs code but contains no assert / expect / should call \u2014 it passes regardl"}, "fullDescription": {"text": "Add an explicit assertion that captures the test's intent, or remove the test."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "[MINED110] Blocking call `time.sleep` inside async function `scenario`: `time.sleep` is a synchronous (blocking) call. W", "shortDescription": {"text": "[MINED110] Blocking call `time.sleep` inside async function `scenario`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making "}, "fullDescription": {"text": "Use the async equivalent: `aiohttp` instead of `requests`, `asyncio.sleep` instead of `time.sleep`, `aiofiles` instead of `open`."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_build_uses_prebuilt_windows_helpers_with", "shortDescription": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_build_uses_prebuilt_windows_helpers_without_running_cargo` of class `SourceBinariesForTargetTest` reads `self.assertEqual`, but no assignment to it exists in __"}, "fullDescription": {"text": "Initialize `self.assertEqual = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC035", "name": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based o", "shortDescription": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation."}, "fullDescription": {"text": "Cap user-controlled sizes BEFORE allocation:\n  size = min(int(request.args.get('n', 100)), MAX_SIZE)\nSet framework-level limits:\n  Flask:    app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024\n  FastAPI:  use middleware to enforce request size\n  Django:   DATA_UPLOAD_MAX_MEMORY_SIZE in settings.py\nNever raise `sys.setrecursionlimit` past 10K without a deeper review."}, "properties": {"scanner": "repobility-threat-engine", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_reque", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/784"}, "properties": {"repository": "openai/codex", "repoUrl": "https://github.com/openai/codex", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66309, "scanner": "repobility-ast-engine", "fingerprint": "d2c5ea1bbdbfab42e02dd81b61f175833091a3d63411fffe1f6baf5d2b78d79c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d2c5ea1bbdbfab42e02dd81b61f175833091a3d63411fffe1f6baf5d2b78d79c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/src/openai_codex/retry.py"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66308, "scanner": "repobility-ast-engine", "fingerprint": "1b5ee40fce2c67de5eeff9e8e9d830fde39eeebef836517fbddc60a54819ab52", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1b5ee40fce2c67de5eeff9e8e9d830fde39eeebef836517fbddc60a54819ab52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/src/openai_codex/client.py"}, "region": {"startLine": 650}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66307, "scanner": "repobility-ast-engine", "fingerprint": "e71c322333d7b2e12ca24243069d332779b38d6adc8d5b1ddbe97e7d9dd5b69e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e71c322333d7b2e12ca24243069d332779b38d6adc8d5b1ddbe97e7d9dd5b69e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/src/openai_codex/client.py"}, "region": {"startLine": 589}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66306, "scanner": "repobility-ast-engine", "fingerprint": "de1b1f9d21e6cae0d5bf8cdfd30e406ee1738025d6e95e549be027e42227d45f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de1b1f9d21e6cae0d5bf8cdfd30e406ee1738025d6e95e549be027e42227d45f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/src/openai_codex/client.py"}, "region": {"startLine": 263}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66305, "scanner": "repobility-ast-engine", "fingerprint": "ed301dc4d236a5d0ae5763ed8ca88c04d82c43daa97d9a09b749da7342c9350b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ed301dc4d236a5d0ae5763ed8ca88c04d82c43daa97d9a09b749da7342c9350b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/examples/10_error_handling_and_retry/async.py"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66285, "scanner": "repobility-ast-engine", "fingerprint": "149a89e461ab88aa88fb57f3f238c399892d6c840dec8c8d16532a67a275dfc2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|149a89e461ab88aa88fb57f3f238c399892d6c840dec8c8d16532a67a275dfc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/imagegen/scripts/image_gen.py"}, "region": {"startLine": 684}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66284, "scanner": "repobility-ast-engine", "fingerprint": "1e3cda73e121e8314ade3d59e8d0c5cffd238ae2fdcaf24f43d8e12824771164", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1e3cda73e121e8314ade3d59e8d0c5cffd238ae2fdcaf24f43d8e12824771164"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/imagegen/scripts/image_gen.py"}, "region": {"startLine": 554}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66283, "scanner": "repobility-ast-engine", "fingerprint": "ebde8c6d6ed3a6d15464cc133a46887a2b050ed74fde429da8735fd5cc329bdc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ebde8c6d6ed3a6d15464cc133a46887a2b050ed74fde429da8735fd5cc329bdc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/imagegen/scripts/image_gen.py"}, "region": {"startLine": 520}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66282, "scanner": "repobility-ast-engine", "fingerprint": "d6a86b6575e4d7a13730244cdda4b52564f8f49ba3b73158623f9ffe4388be12", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d6a86b6575e4d7a13730244cdda4b52564f8f49ba3b73158623f9ffe4388be12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/imagegen/scripts/image_gen.py"}, "region": {"startLine": 333}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66281, "scanner": "repobility-ast-engine", "fingerprint": "d7ac6d7e87cc9d7eae2875a6e97a79b041b45cc7252f48d9c8aaffcab972e7d0", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d7ac6d7e87cc9d7eae2875a6e97a79b041b45cc7252f48d9c8aaffcab972e7d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 312}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66280, "scanner": "repobility-ast-engine", "fingerprint": "eff554a695f4edd1d773a959c34a96c903d940f93c333bfe6b0e3db07ea3fe05", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eff554a695f4edd1d773a959c34a96c903d940f93c333bfe6b0e3db07ea3fe05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 304}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66279, "scanner": "repobility-ast-engine", "fingerprint": "69ddf852f46897b9844efe008dda63bf9c0d611240cdb1743e9d6bea8da4fa20", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|69ddf852f46897b9844efe008dda63bf9c0d611240cdb1743e9d6bea8da4fa20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 295}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66278, "scanner": "repobility-ast-engine", "fingerprint": "e4a0ad92623baf46d18b2f0b0f5f909648bad3222f9120521032e0e69e69f128", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e4a0ad92623baf46d18b2f0b0f5f909648bad3222f9120521032e0e69e69f128"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-creator/scripts/init_skill.py"}, "region": {"startLine": 283}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 66277, "scanner": "repobility-ast-engine", "fingerprint": "28908a4a7a97ad5c59d20220252fe6d7596a64db4b22fa183fa677179cbb3447", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|28908a4a7a97ad5c59d20220252fe6d7596a64db4b22fa183fa677179cbb3447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 176}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 66261, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Django"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 66258, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR018", "level": "warning", "message": {"text": "Database dump or local database file is included in Docker build context"}, "properties": {"repobilityId": 66255, "scanner": "repobility-docker", "fingerprint": "655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like artifacts are reachable from the Docker build context and are not ignored.", "evidence": {"rule_id": "DKR018", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|655485f8d8d660f19955b099504360fbf5ff0f88b2be2fc7d9501b5ab7e7369f", "database_artifacts": [{"path": "codex-rs/state/migrations/0018_phase2_selection_snapshot.sql", "size_mb": 0.0}]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 66254, "scanner": "repobility-agent-runtime", "fingerprint": "4d97fc8f71a8028530aa1d3e56ea67cc145a95938a424b6de312d553fc8c5f3d", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|4d97fc8f71a8028530aa1d3e56ea67cc145a95938a424b6de312d553fc8c5f3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server-daemon/README.md"}, "region": {"startLine": 39}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 66253, "scanner": "repobility-agent-runtime", "fingerprint": "b671ff1406dcb884d7c7f43667a4cffb18630e58990f15568f1dca57016478ee", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|b671ff1406dcb884d7c7f43667a4cffb18630e58990f15568f1dca57016478ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC012", "level": "warning", "message": {"text": "[SEC012] ZipSlip \u2014 Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory."}, "properties": {"repobilityId": 66220, "scanner": "repobility-threat-engine", "fingerprint": "449e9847cc5355ddc8636417e3ba41629bd69f5658b201e99d5bd4a9c8607572", "category": "path_traversal", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".extractall(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC012", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|112|sec012"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-installer/scripts/install-skill-from-github.py"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 66207, "scanner": "repobility-threat-engine", "fingerprint": "48cf08b8803ad5e95351b460957a973f7895814a61923b2567795095fc5658ce", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|48cf08b8803ad5e95351b460957a973f7895814a61923b2567795095fc5658ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/config/src/mcp_edit_tests.rs"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 66206, "scanner": "repobility-threat-engine", "fingerprint": "797296bcf4c2343644242924f4ce2d5e3a244a11a4b129777530a784efa85942", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "base_url: \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|797296bcf4c2343644242924f4ce2d5e3a244a11a4b129777530a784efa85942"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-api/src/endpoint/search.rs"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 66205, "scanner": "repobility-threat-engine", "fingerprint": "d1c5c55134c64769d2884f6ce09581acfaa73690e48a213ecba8fb77238261f4", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "base_url: \"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d1c5c55134c64769d2884f6ce09581acfaa73690e48a213ecba8fb77238261f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-api/src/endpoint/images.rs"}, "region": {"startLine": 136}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 66184, "scanner": "repobility-threat-engine", "fingerprint": "50b7836da80cfed82ea7193a2ac04112f816208da2e7a72413d2ccc6a4ca61e7", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|40|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/exec-server/src/remote_process.rs"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 66183, "scanner": "repobility-threat-engine", "fingerprint": "51a1a8d26bb8ddf54afbe0739548a746122bb5eb685a0ccd8d10d058f749cbdb", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|18|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/cloud-tasks/src/cli.rs"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 66182, "scanner": "repobility-threat-engine", "fingerprint": "e66eb12909ab96310b1a31b6cf7833059b2253ae174f6566b407597c8c449551", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|147|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server-daemon/src/update_loop.rs"}, "region": {"startLine": 147}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 66262, "scanner": "repobility-web-presence", "fingerprint": "036bb259930de76bc857e7fca2011d7dd9dfe8fe82dce8bcb48993e2a0f0fb8f", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|036bb259930de76bc857e7fca2011d7dd9dfe8fe82dce8bcb48993e2a0f0fb8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-release-prepare.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 66256, "scanner": "repobility-docker", "fingerprint": "6550649fe27d10a3ce48c66f0946e3deede84493ef1e6380b1be82cc06093101", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|6550649fe27d10a3ce48c66f0946e3deede84493ef1e6380b1be82cc06093101"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66252, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6eb0e2df30fd8ce0c2e72d7d244777901db39377a53ffd08837639768d398971", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/app-server-protocol/src/protocol/v2/plugin.rs", "duplicate_line": 198, "correlation_key": "fp|6eb0e2df30fd8ce0c2e72d7d244777901db39377a53ffd08837639768d398971"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/core-skills/src/model.rs"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66251, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bbb2f3fccf0cc0942c697f7f8100a5d2d759607ec0f9bc10ba9be18eee3ada9b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/core-plugins/src/remote/share/checkout.rs", "duplicate_line": 422, "correlation_key": "fp|bbb2f3fccf0cc0942c697f7f8100a5d2d759607ec0f9bc10ba9be18eee3ada9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/core-plugins/src/remote/share/local_paths.rs"}, "region": {"startLine": 92}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fa4e3a719eee5c194ccbcdb7b74d1b00d6e967fbcfa2758526e68d8246d4c166", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/core-plugins/src/marketplace.rs", "duplicate_line": 576, "correlation_key": "fp|fa4e3a719eee5c194ccbcdb7b74d1b00d6e967fbcfa2758526e68d8246d4c166"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/core-plugins/src/marketplace_add/source.rs"}, "region": {"startLine": 164}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66249, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8fdf311f705d6d18132b2959eb01c87c8443f46c751e37e37b7cc8ead62c1a59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/app-server-protocol/src/protocol/v2/plugin.rs", "duplicate_line": 338, "correlation_key": "fp|8fdf311f705d6d18132b2959eb01c87c8443f46c751e37e37b7cc8ead62c1a59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/core-plugins/src/manifest.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66248, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84c83fabb410f39542c300c5d65a62786197c7a447a93fb38590332b6ff579d8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/app-server-protocol/src/protocol/v2/config.rs", "duplicate_line": 94, "correlation_key": "fp|84c83fabb410f39542c300c5d65a62786197c7a447a93fb38590332b6ff579d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/config/src/types.rs"}, "region": {"startLine": 257}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66247, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cba27b0789e4d325d36a3f95aa86753a199bd7ca931e027453e5f43a9d99e7e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/config/src/diagnostics.rs", "duplicate_line": 132, "correlation_key": "fp|cba27b0789e4d325d36a3f95aa86753a199bd7ca931e027453e5f43a9d99e7e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/config/src/strict_config.rs"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66246, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ebbd482e4e1712d7263b634c7bcb5d51c484cc14cb7eef715b849e8497006f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-mcp/src/runtime.rs", "duplicate_line": 107, "correlation_key": "fp|4ebbd482e4e1712d7263b634c7bcb5d51c484cc14cb7eef715b849e8497006f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/config/src/mcp_types_tests.rs"}, "region": {"startLine": 396}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66245, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d957b385033d02c30e4a81224ae0d753198390a4d60e2a8b70eca1e4ca6836e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-mcp/src/mcp/mod_tests.rs", "duplicate_line": 278, "correlation_key": "fp|d957b385033d02c30e4a81224ae0d753198390a4d60e2a8b70eca1e4ca6836e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/config/src/mcp_types_tests.rs"}, "region": {"startLine": 394}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66244, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ff8088dabb768367b18306175dbd1a7e6ea573ea856eebc9700372f08932afa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/config/src/mcp_edit_tests.rs", "duplicate_line": 91, "correlation_key": "fp|5ff8088dabb768367b18306175dbd1a7e6ea573ea856eebc9700372f08932afa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/config/src/mcp_types_tests.rs"}, "region": {"startLine": 392}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66243, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b5ce1a59694716353c459d253285ec0d35531f2b90aa7f23c65056854ea8148", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/app-server-protocol/src/protocol/v2/config.rs", "duplicate_line": 115, "correlation_key": "fp|6b5ce1a59694716353c459d253285ec0d35531f2b90aa7f23c65056854ea8148"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/config/src/config_toml.rs"}, "region": {"startLine": 81}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66242, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da59bbbf3c07e3c473194febecdda139d2509ab8895e8b42b21b68c828420eaa", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-mcp/src/mcp/mod_tests.rs", "duplicate_line": 278, "correlation_key": "fp|da59bbbf3c07e3c473194febecdda139d2509ab8895e8b42b21b68c828420eaa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-mcp/src/runtime.rs"}, "region": {"startLine": 105}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66241, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b951bbb76bfdd96adf6b662f434f7d501caa22f6eee8d5161b449a2fbf50693b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-api/src/endpoint/images.rs", "duplicate_line": 81, "correlation_key": "fp|b951bbb76bfdd96adf6b662f434f7d501caa22f6eee8d5161b449a2fbf50693b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-api/src/endpoint/search.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66240, "scanner": "repobility-ai-code-hygiene", "fingerprint": "647273f80c0749e4d0824598c8569045424d4fe77174bd65ded027b0550b4bca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-api/src/endpoint/realtime_websocket/methods_v1.rs", "duplicate_line": 17, "correlation_key": "fp|647273f80c0749e4d0824598c8569045424d4fe77174bd65ded027b0550b4bca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-api/src/endpoint/realtime_websocket/methods_v2.rs"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66239, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6f24f87fce3f63ffe05634494b50875f345e9a089d39342a189828ab33c6c04e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-api/src/endpoint/images.rs", "duplicate_line": 118, "correlation_key": "fp|6f24f87fce3f63ffe05634494b50875f345e9a089d39342a189828ab33c6c04e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-api/src/endpoint/realtime_call.rs"}, "region": {"startLine": 250}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66238, "scanner": "repobility-ai-code-hygiene", "fingerprint": "312451c27dc81d39e8743393eceb6524c2ec94e44d184c2ecb3b2066ef30cfe2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-api/src/endpoint/memories.rs", "duplicate_line": 113, "correlation_key": "fp|312451c27dc81d39e8743393eceb6524c2ec94e44d184c2ecb3b2066ef30cfe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-api/src/endpoint/realtime_call.rs"}, "region": {"startLine": 244}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66237, "scanner": "repobility-ai-code-hygiene", "fingerprint": "88fc70f1d2d7723e191cc50bbf608358911b9acf3573e50d284173d97cec1f58", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-api/src/endpoint/images.rs", "duplicate_line": 118, "correlation_key": "fp|88fc70f1d2d7723e191cc50bbf608358911b9acf3573e50d284173d97cec1f58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-api/src/endpoint/models.rs"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66236, "scanner": "repobility-ai-code-hygiene", "fingerprint": "49178f43b9c9df826d75fb98ca8183280153f47144139dc69961daa71a4d8416", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-api/src/endpoint/memories.rs", "duplicate_line": 114, "correlation_key": "fp|49178f43b9c9df826d75fb98ca8183280153f47144139dc69961daa71a4d8416"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-api/src/endpoint/models.rs"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66235, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43319a0728f891c6102fe3d7e125ece39e2e66346bebec30b3888a8b4dae97fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/codex-api/src/endpoint/images.rs", "duplicate_line": 86, "correlation_key": "fp|43319a0728f891c6102fe3d7e125ece39e2e66346bebec30b3888a8b4dae97fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-api/src/endpoint/memories.rs"}, "region": {"startLine": 87}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66234, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff39c40ac623c9875b0eb2d4714516a174eae67754c14b9d2078e011b81041ad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/app-server-transport/src/transport/mod.rs", "duplicate_line": 382, "correlation_key": "fp|ff39c40ac623c9875b0eb2d4714516a174eae67754c14b9d2078e011b81041ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server/src/transport_tests.rs"}, "region": {"startLine": 402}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66233, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a8dce13c120376eeb91de2ed713f5ccbfccd3b68247744e40437fccbe6d70b0d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/app-server/src/request_processors/apps_processor.rs", "duplicate_line": 252, "correlation_key": "fp|a8dce13c120376eeb91de2ed713f5ccbfccd3b68247744e40437fccbe6d70b0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server/src/request_processors/mcp_processor.rs"}, "region": {"startLine": 83}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66232, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cee9dbd66e1f144b127be3abfcfbcbe15aa2372c70bf2a7f0d7e86add3a4f401", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/app-server/src/request_processors/apps_processor.rs", "duplicate_line": 265, "correlation_key": "fp|cee9dbd66e1f144b127be3abfcfbcbe15aa2372c70bf2a7f0d7e86add3a4f401"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server/src/request_processors/catalog_processor.rs"}, "region": {"startLine": 196}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66231, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1dc3b0c51df4d94cee4e5640b0ee438a288b3118421c39c274d4f95e1274ecbc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "codex-rs/app-server-protocol/src/protocol/v2/thread.rs", "duplicate_line": 127, "correlation_key": "fp|1dc3b0c51df4d94cee4e5640b0ee438a288b3118421c39c274d4f95e1274ecbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server-protocol/src/protocol/v2/turn.rs"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 66230, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e00bc2c847f89e181fd71c79844f98f3c6de2b7aa42ecc63c79672dfb9e8ff74", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|e00bc2c847f89e181fd71c79844f98f3c6de2b7aa42ecc63c79672dfb9e8ff74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/tui/src/config_update.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 66229, "scanner": "repobility-ai-code-hygiene", "fingerprint": "195382cbe06c0e2a0e047752666b12e6f7e224eb7b31200234ccdc5505283dea", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "copy", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|195382cbe06c0e2a0e047752666b12e6f7e224eb7b31200234ccdc5505283dea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/tui/src/clipboard_copy.rs"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `module_checksum_errors` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, elif=1, for=1, if=2, nested_bonus=3."}, "properties": {"repobilityId": 66153, "scanner": "repobility-threat-engine", "fingerprint": "baa308c91095a7806a0911e04a4218220237aa179710d57fef64fa1a9ab920fa", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 8 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "module_checksum_errors", "breakdown": {"if": 2, "for": 1, "elif": 1, "continue": 1, "nested_bonus": 3}, "complexity": 8, "correlation_key": "fp|baa308c91095a7806a0911e04a4218220237aa179710d57fef64fa1a9ab920fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/rusty_v8_module_bazel.py"}, "region": {"startLine": 141}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `parse_checksum_manifest` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=1, except=1, for=1, if=6, nested_bonus=5."}, "properties": {"repobilityId": 66152, "scanner": "repobility-threat-engine", "fingerprint": "ccd91edb930a72544d5796278c417b880682a181b6434ef6ec1a0a756cbae44f", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "parse_checksum_manifest", "breakdown": {"if": 6, "for": 1, "except": 1, "continue": 1, "nested_bonus": 5}, "complexity": 14, "correlation_key": "fp|ccd91edb930a72544d5796278c417b880682a181b6434ef6ec1a0a756cbae44f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/rusty_v8_module_bazel.py"}, "region": {"startLine": 29}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `fix_directory_ownership` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, except=1, for=1, if=2, nested_bonus=3."}, "properties": {"repobilityId": 66151, "scanner": "repobility-threat-engine", "fingerprint": "045d2c8e3ff433d0ac2a79d3b35c70b32ffd5c50cdbcb7c24da0dfe4f042b97b", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "fix_directory_ownership", "breakdown": {"if": 2, "for": 1, "except": 1, "continue": 2, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|045d2c8e3ff433d0ac2a79d3b35c70b32ffd5c50cdbcb7c24da0dfe4f042b97b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/post_install.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 66228, "scanner": "repobility-threat-engine", "fingerprint": "6a4004e68f6ae862e9000042b5e2f5b8c349fce362b44bdd9e9827640a57b9b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a4004e68f6ae862e9000042b5e2f5b8c349fce362b44bdd9e9827640a57b9b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/samples/basic_streaming.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 66227, "scanner": "repobility-threat-engine", "fingerprint": "26da177c027de8a18403d66aedaaca5893a3c1a02d5bee1dbd23dd15abe26a7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|26da177c027de8a18403d66aedaaca5893a3c1a02d5bee1dbd23dd15abe26a7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/src/openai_codex/_run.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 66226, "scanner": "repobility-threat-engine", "fingerprint": "392454025f8c75368814dd9c83a3165313be6eb449352bc233e4306cd0829b0c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|392454025f8c75368814dd9c83a3165313be6eb449352bc233e4306cd0829b0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/src/openai_codex/_login.py"}, "region": {"startLine": 101}}}]}, {"ruleId": "MINED062", "level": "none", "message": {"text": "[MINED062] Python Dataclass No Fields: @dataclass over an empty class \u2014 unfinished model."}, "properties": {"repobilityId": 66225, "scanner": "repobility-threat-engine", "fingerprint": "d9ed699ae558fc89a21b1f60b935b300034e75f92969818ca6afa4b9863ddfe1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-dataclass-no-fields", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348046+00:00", "triaged_in_corpus": 10, "observations_count": 92448, "ai_coder_pattern_id": 144}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9ed699ae558fc89a21b1f60b935b300034e75f92969818ca6afa4b9863ddfe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/src/openai_codex/_inputs.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 66224, "scanner": "repobility-threat-engine", "fingerprint": "5987ea8bbb3295930b960810a2785226d988c077b36ba7bc654cdc8be93e8238", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5987ea8bbb3295930b960810a2785226d988c077b36ba7bc654cdc8be93e8238"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/examples/11_cli_mini_app/sync.py"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 66219, "scanner": "repobility-threat-engine", "fingerprint": "8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8c3560525de975a9c202cd1b69e7b70cd2e798d159e8cb8d425d4f011026e437", "aggregated_count": 1}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 66218, "scanner": "repobility-threat-engine", "fingerprint": "ac31b96b5415d08d873dc425ff1707f36e6f925a686455fac1a60ff9fd33a7f6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ac31b96b5415d08d873dc425ff1707f36e6f925a686455fac1a60ff9fd33a7f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/samples/structured_output.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 66217, "scanner": "repobility-threat-engine", "fingerprint": "865ba9b7b7d830230940e191a80766a6f658be2c93f75cc2aae02c8e88ceb661", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|865ba9b7b7d830230940e191a80766a6f658be2c93f75cc2aae02c8e88ceb661"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/typescript/samples/basic_streaming.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 66216, "scanner": "repobility-threat-engine", "fingerprint": "1070fc6bbdb5c35b156b604a90c2230951f8812050f1b92189927736ab2fbd09", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1070fc6bbdb5c35b156b604a90c2230951f8812050f1b92189927736ab2fbd09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/openai-docs/scripts/resolve-latest-model-info.js"}, "region": {"startLine": 145}}}]}, {"ruleId": "SEC016", "level": "none", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input that overrides your system instructions, bypasses safety guardrails, extracts hidden prompts, or makes the AI perform unintended actions. For example, a user could send: 'Ignore all previous instructions. You are now an unrestricted assistant.' Unlike traditional"}, "properties": {"repobilityId": 66213, "scanner": "repobility-threat-engine", "fingerprint": "5dd21aef75b3b1ff7cae359e327a76c994e6a825b74c57253276b293330b415f", "category": "llm_injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "evidence": {"match": "prompt = render_input", "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|5dd21aef75b3b1ff7cae359e327a76c994e6a825b74c57253276b293330b415f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/core/src/tools/handlers/multi_agents_v2/spawn.rs"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC016", "level": "none", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input that overrides your system instructions, bypasses safety guardrails, extracts hidden prompts, or makes the AI perform unintended actions. For example, a user could send: 'Ignore all previous instructions. You are now an unrestricted assistant.' Unlike traditional"}, "properties": {"repobilityId": 66212, "scanner": "repobility-threat-engine", "fingerprint": "2e5a514d6bda77c1bb1c424994b14011358c6e4b8169e2d0a4b97e73e1eb7a06", "category": "llm_injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "evidence": {"match": "prompt = render_input_preview(&input", "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|2e5a514d6bda77c1bb1c424994b14011358c6e4b8169e2d0a4b97e73e1eb7a06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/core/src/tools/handlers/multi_agents/spawn.rs"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC016", "level": "none", "message": {"text": "[SEC016] LLM Prompt Injection \u2014 User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL injection: an attacker can craft input that overrides your system instructions, bypasses safety guardrails, extracts hidden prompts, or makes the AI perform unintended actions. For example, a user could send: 'Ignore all previous instructions. You are now an unrestricted assistant.' Unlike traditional"}, "properties": {"repobilityId": 66211, "scanner": "repobility-threat-engine", "fingerprint": "d913328194fa82ff0ce149ed7da38f05f2813df0f9d4a3abedfd33b7648cfc5d", "category": "llm_injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "evidence": {"match": "prompt = render_input_preview(&input", "reason": "Variable named 'prompt' or 'messages' with interpolation, but no LLM/AI API call found nearby", "rule_id": "SEC016", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|d913328194fa82ff0ce149ed7da38f05f2813df0f9d4a3abedfd33b7648cfc5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/core/src/tools/handlers/multi_agents/send_input.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED041", "level": "none", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 66209, "scanner": "repobility-threat-engine", "fingerprint": "82496e861bcb87591666fccad033d35a9dff939d26736ce2b55dd9e2edbd67ef", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'test\\b' detected on same line", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|82496e861bcb87591666fccad033d35a9dff939d26736ce2b55dd9e2edbd67ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/config/src/loader/tests.rs"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 66208, "scanner": "repobility-threat-engine", "fingerprint": "c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 66204, "scanner": "repobility-threat-engine", "fingerprint": "7067c70a3b6f9b7e635a9c5ec19aad1104705bbfc7c4b7e2a4cac176aff1b6ba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7067c70a3b6f9b7e635a9c5ec19aad1104705bbfc7c4b7e2a4cac176aff1b6ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/rmcp-client/src/auth_status.rs"}, "region": {"startLine": 237}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 66203, "scanner": "repobility-threat-engine", "fingerprint": "378ebcabeab3bac946781cf602e7b052a1949fac5b5cfa498ada5bbd82727f49", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|378ebcabeab3bac946781cf602e7b052a1949fac5b5cfa498ada5bbd82727f49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-client/src/chatgpt_cloudflare_cookies.rs"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 66202, "scanner": "repobility-threat-engine", "fingerprint": "710a975c1da9175c25bb7fe51e5de82edd8d0d8053280cd85b5551656fcaa71d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|710a975c1da9175c25bb7fe51e5de82edd8d0d8053280cd85b5551656fcaa71d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/code-mode/src/runtime/value.rs"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 66201, "scanner": "repobility-threat-engine", "fingerprint": "f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f1c2c4035cdd6e0916d588faf9becbbbd5dd61a9e4a7efb0017757e4e82f5c05"}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 41 more): Same pattern found in 41 additional files. Review if needed."}, "properties": {"repobilityId": 66197, "scanner": "repobility-threat-engine", "fingerprint": "f5515a175d2c6837762b0b57b4a39928ad82d16a141f2b6219caff2577e8c3d3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 41 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f5515a175d2c6837762b0b57b4a39928ad82d16a141f2b6219caff2577e8c3d3", "aggregated_count": 41}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 66196, "scanner": "repobility-threat-engine", "fingerprint": "69a0b3a1f12d372c8b0e76db6513d8213587fc7dc0d63b47a2745f893bbf7dc9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|69a0b3a1f12d372c8b0e76db6513d8213587fc7dc0d63b47a2745f893bbf7dc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/cli/src/desktop_app/mac.rs"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 66195, "scanner": "repobility-threat-engine", "fingerprint": "d5d9cb44c24f9fddabeec78e3ecd470eabbb345c95b58210e614ff7eaf78ae34", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d5d9cb44c24f9fddabeec78e3ecd470eabbb345c95b58210e614ff7eaf78ae34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/cli/src/debug_sandbox/pid_tracker.rs"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 66194, "scanner": "repobility-threat-engine", "fingerprint": "1998a8a315e781d67953499b0b3260a4e24b93bb347fad11c7fef44db4db0f38", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1998a8a315e781d67953499b0b3260a4e24b93bb347fad11c7fef44db4db0f38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/bwrap/src/main.rs"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 43 more): Same pattern found in 43 additional files. Review if needed."}, "properties": {"repobilityId": 66191, "scanner": "repobility-threat-engine", "fingerprint": "0d545925b22652f4ba16c58cad0b5a77d5e13bb2e188e2f4239ac634f4d5ecbd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 43 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0d545925b22652f4ba16c58cad0b5a77d5e13bb2e188e2f4239ac634f4d5ecbd", "aggregated_count": 43}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 66185, "scanner": "repobility-threat-engine", "fingerprint": "7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea"}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 61 more): Same pattern found in 61 additional files. Review if needed."}, "properties": {"repobilityId": 66181, "scanner": "repobility-threat-engine", "fingerprint": "5ccf072062d704449744f8dc478716ceeb9c4cb0100cdab9023903b010471a8e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 61 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5ccf072062d704449744f8dc478716ceeb9c4cb0100cdab9023903b010471a8e", "aggregated_count": 61}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 66180, "scanner": "repobility-threat-engine", "fingerprint": "7a7df468133043e8063fc227566671e2c6fa22669c0b9259f85d70f2ae86a236", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a7df468133043e8063fc227566671e2c6fa22669c0b9259f85d70f2ae86a236"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server-transport/src/transport/remote_control/segment_tests.rs"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 66179, "scanner": "repobility-threat-engine", "fingerprint": "c891ebf5a3e6b39426555706644fddbd870cfebded77cb07679997c29f93b91c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c891ebf5a3e6b39426555706644fddbd870cfebded77cb07679997c29f93b91c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server-protocol/src/protocol/common_tests.rs"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 66178, "scanner": "repobility-threat-engine", "fingerprint": "3e35e5ce61ef3677a44fa6ad346ff5a12c63c65750a24774ba803b73cba7b6fc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e35e5ce61ef3677a44fa6ad346ff5a12c63c65750a24774ba803b73cba7b6fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/ansi-escape/src/lib.rs"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 66177, "scanner": "repobility-threat-engine", "fingerprint": "58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|58c4da94b9afa5e01231817b007f3565b1e41c81ffd2047d0b8bd42d1b51c56a", "aggregated_count": 2}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 66173, "scanner": "repobility-threat-engine", "fingerprint": "4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4e858a56c34b65b0912e3fe629971d6d32fcda68cee02eb1f3bab34175679dd4"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 29 more): Same pattern found in 29 additional files. Review if needed."}, "properties": {"repobilityId": 66169, "scanner": "repobility-threat-engine", "fingerprint": "063abbc1a988e6c8b43781a2091a8af2089bfaa08444dfc3e5781c1eafa01559", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 29 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|063abbc1a988e6c8b43781a2091a8af2089bfaa08444dfc3e5781c1eafa01559"}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 192 more): Same pattern found in 192 additional files. Review if needed."}, "properties": {"repobilityId": 66165, "scanner": "repobility-threat-engine", "fingerprint": "9f08ef30c0a523e2516a2b98904b85e11ffda09ecbd0495d034d25e6be0fb8f4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 192 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9f08ef30c0a523e2516a2b98904b85e11ffda09ecbd0495d034d25e6be0fb8f4", "aggregated_count": 192}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 66164, "scanner": "repobility-threat-engine", "fingerprint": "b6347ee20a62059404a686afec978f9889e024847482241f8611a0a1bbd836f3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b6347ee20a62059404a686afec978f9889e024847482241f8611a0a1bbd836f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server-daemon/src/backend/pid_tests.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 66163, "scanner": "repobility-threat-engine", "fingerprint": "32cef958cc2300239ed56731229d99b45219e452f8b5d7c40346f56ad205ab32", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32cef958cc2300239ed56731229d99b45219e452f8b5d7c40346f56ad205ab32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/agent-graph-store/src/types.rs"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 66162, "scanner": "repobility-threat-engine", "fingerprint": "245173d25e5ce3169db342668bf3a2c26850dc7c58a12a081a5e07acfa90979f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|245173d25e5ce3169db342668bf3a2c26850dc7c58a12a081a5e07acfa90979f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/agent-graph-store/src/local.rs"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 66161, "scanner": "repobility-threat-engine", "fingerprint": "ff8a905e8df3aabaede36eea36094be5f59bb1ee35bb8e31431377ae3f064bae", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ff8a905e8df3aabaede36eea36094be5f59bb1ee35bb8e31431377ae3f064bae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-installer/scripts/list-skills.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 66160, "scanner": "repobility-threat-engine", "fingerprint": "a3745410ca52144591e1d19c4863ef76f41c3f2dfa701e4de8d93994f4596757", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a3745410ca52144591e1d19c4863ef76f41c3f2dfa701e4de8d93994f4596757"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-installer/scripts/install-skill-from-github.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 66159, "scanner": "repobility-threat-engine", "fingerprint": "42cbc91dba1d7b5b59e4601ebd4bda39f498c35c67e78867f3a1e74c03c669f4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|42cbc91dba1d7b5b59e4601ebd4bda39f498c35c67e78867f3a1e74c03c669f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/rusty_v8_module_bazel.py"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 66158, "scanner": "repobility-threat-engine", "fingerprint": "86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|86ba1835d70968651e1fbb2569a4d94211de579a814cf34a5d1e1e2eafe3f130", "aggregated_count": 1}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 66157, "scanner": "repobility-threat-engine", "fingerprint": "4b723bfce87d62bd57c4e04292c0644c1e7e738338153fd2844f9cbc2b9992d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b723bfce87d62bd57c4e04292c0644c1e7e738338153fd2844f9cbc2b9992d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-installer/scripts/list-skills.py"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 66156, "scanner": "repobility-threat-engine", "fingerprint": "d4f007d7c4f56313e06bf5de793938b4ed4de9e666c49051fd0ea99ad1cfc515", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d4f007d7c4f56313e06bf5de793938b4ed4de9e666c49051fd0ea99ad1cfc515"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-installer/scripts/install-skill-from-github.py"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 66155, "scanner": "repobility-threat-engine", "fingerprint": "701d4bfc054f33077f6d67c8d0abd6bed34f4e4901261b45d09509cf85c292ac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|701d4bfc054f33077f6d67c8d0abd6bed34f4e4901261b45d09509cf85c292ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/rusty_v8_module_bazel.py"}, "region": {"startLine": 16}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "properties": {"repobilityId": 66154, "scanner": "repobility-threat-engine", "fingerprint": "0b7fe54636352719cbc4711a7a74d6c7c2a5986f9272e22fb517084b56a61a3c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "fix_directory_ownership", "breakdown": {"if": 2, "for": 1, "except": 1, "continue": 2, "nested_bonus": 3}, "aggregated": true, "complexity": 9, "correlation_key": "fp|0b7fe54636352719cbc4711a7a74d6c7c2a5986f9272e22fb517084b56a61a3c", "aggregated_count": 39}}}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 66326, "scanner": "repobility-supply-chain", "fingerprint": "306173c363c126982c8db77d3cbcadf78d0858357420d977127e6cd16ed7cf9b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|306173c363c126982c8db77d3cbcadf78d0858357420d977127e6cd16ed7cf9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/Dockerfile.bazel"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `arm64v8/ubuntu:24.04` unpinned: `container/services image: arm64v8/ubuntu:24.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 66322, "scanner": "repobility-supply-chain", "fingerprint": "a802b5e8c1032025bd76df737840d7943570ece0cd18ff7d7a845d5cb903ea2b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a802b5e8c1032025bd76df737840d7943570ece0cd18ff7d7a845d5cb903ea2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-release-zsh.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `ubuntu:24.04` unpinned: `container/services image: ubuntu:24.04` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 66321, "scanner": "repobility-supply-chain", "fingerprint": "0cf5c8c34e583d449e9b8b5f7b7b0281f9a6812032aa333ded75452d2b1b19c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cf5c8c34e583d449e9b8b5f7b7b0281f9a6812032aa333ded75452d2b1b19c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-release-zsh.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `taiki-e/install-action` pinned to mutable ref `@v2`: `uses: taiki-e/install-action@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66313, "scanner": "repobility-supply-chain", "fingerprint": "081ff3757f01ff7cfb2c82d309da01a448f3b60f5db34e5ee108a78e636adf7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|081ff3757f01ff7cfb2c82d309da01a448f3b60f5db34e5ee108a78e636adf7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/.github/workflows/cargo-audit.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66312, "scanner": "repobility-supply-chain", "fingerprint": "405b97d5ceef1d7a3bcf1e63445af6974e9d532d03bc75cadbfbb8e4cbcca050", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|405b97d5ceef1d7a3bcf1e63445af6974e9d532d03bc75cadbfbb8e4cbcca050"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/.github/workflows/cargo-audit.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:24.04` not pinned by digest: `FROM ubuntu:24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 66311, "scanner": "repobility-supply-chain", "fingerprint": "37dadcc460aa218e5bdf2cdf5f1498038cbdd9cede535d679c078915150918d1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37dadcc460aa218e5bdf2cdf5f1498038cbdd9cede535d679c078915150918d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/devcontainers/base:ubuntu-24.04` not pinned by digest: `FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 66310, "scanner": "repobility-supply-chain", "fingerprint": "a300cf318e370abcbe6820d22c3ffd5a5e42726ff5add159ca9e81aa3bcf274e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a300cf318e370abcbe6820d22c3ffd5a5e42726ff5add159ca9e81aa3bcf274e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile.secure"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_missing_runtime_package_requires_explicit_codex_bin: Test function `test_missing_runtime_package_requires_explicit_codex_bin` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 66304, "scanner": "repobility-ast-engine", "fingerprint": "8b783b22f1d488c494f8548893bee7cabcd0cca73a75629845e5fdd850a10e5c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8b783b22f1d488c494f8548893bee7cabcd0cca73a75629845e5fdd850a10e5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/tests/test_artifact_workflow_and_binaries.py"}, "region": {"startLine": 864}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_stage_runtime_release_rejects_incomplete_package_layout: Test function `test_stage_runtime_release_rejects_incomplete_package_layout` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 66303, "scanner": "repobility-ast-engine", "fingerprint": "01cf3e1e9a0070f516b1184491921d5e561d7a9cbdaa7adc6f7af30261d1b913", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|01cf3e1e9a0070f516b1184491921d5e561d7a9cbdaa7adc6f7af30261d1b913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/tests/test_artifact_workflow_and_binaries.py"}, "region": {"startLine": 605}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_thread_run_raises_when_real_app_server_reports_failed_turn: Test function `test_thread_run_raises_when_real_app_server_reports_failed_turn` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 66302, "scanner": "repobility-ast-engine", "fingerprint": "4a97282287f36606c4bec954e12a88a88de0f5bf785be58664ef3b77c26205c3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4a97282287f36606c4bec954e12a88a88de0f5bf785be58664ef3b77c26205c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/tests/test_app_server_run.py"}, "region": {"startLine": 302}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "[MINED110] Blocking call `time.sleep` inside async function `scenario`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"repobilityId": 66301, "scanner": "repobility-ast-engine", "fingerprint": "008c184840d03cf25a0afc27e6803deda18b3c7210d7b525d45233173909d58c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|008c184840d03cf25a0afc27e6803deda18b3c7210d7b525d45233173909d58c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/tests/test_async_client_behavior.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_raw_sandbox_strings_are_rejected: Test function `test_raw_sandbox_strings_are_rejected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 66300, "scanner": "repobility-ast-engine", "fingerprint": "0304610d8d3559ee3fc3ccc45e644ff363744f65495fb56fbede9cd3c2e28989", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0304610d8d3559ee3fc3ccc45e644ff363744f65495fb56fbede9cd3c2e28989"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/tests/test_public_api_runtime_behavior.py"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_unknown_approval_mode_is_rejected: Test function `test_unknown_approval_mode_is_rejected` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 66299, "scanner": "repobility-ast-engine", "fingerprint": "aa4f96c8bad92ebe0473f7b38c1f7d18788c70a73d5d231f5671cd8c9757899a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|aa4f96c8bad92ebe0473f7b38c1f7d18788c70a73d5d231f5671cd8c9757899a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sdk/python/tests/test_public_api_runtime_behavior.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_check_module_bazel_rejects_manifest_drift: Test function `test_check_module_bazel_rejects_manifest_drift` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 66298, "scanner": "repobility-ast-engine", "fingerprint": "481f1ede7e0666a70218714c0a6dfc1745bfe724d8dbaf73c48f040b1c1ef32d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|481f1ede7e0666a70218714c0a6dfc1745bfe724d8dbaf73c48f040b1c1ef32d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/test_rusty_v8_bazel.py"}, "region": {"startLine": 372}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_build_uses_prebuilt_windows_helpers_without_running_cargo` of class `SourceBinariesForTargetTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66297, "scanner": "repobility-ast-engine", "fingerprint": "af00e00ebf8af52caab8b640f9db3b15e9304d90df304f724e2ced676d81536c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|af00e00ebf8af52caab8b640f9db3b15e9304d90df304f724e2ced676d81536c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_cargo.py"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_build_uses_prebuilt_windows_helpers_without_running_cargo` of class `SourceBinariesForTargetTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66296, "scanner": "repobility-ast-engine", "fingerprint": "bb3a786ef43a5781e782b2149d973bbdcf509cdb50ae835af394789d55d50637", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bb3a786ef43a5781e782b2149d973bbdcf509cdb50ae835af394789d55d50637"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_cargo.py"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_build_uses_prebuilt_windows_helpers_without_running_cargo` of class `SourceBinariesForTargetTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66295, "scanner": "repobility-ast-engine", "fingerprint": "e9c521c74e5f11ec922394968d3c9f156e7994903cee6514b6f0ca82f7b18a4f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e9c521c74e5f11ec922394968d3c9f156e7994903cee6514b6f0ca82f7b18a4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_cargo.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_missing_windows_helpers_are_built` of class `SourceBinariesForTargetTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66294, "scanner": "repobility-ast-engine", "fingerprint": "372dd748571fac52c4f17a703e41f03c71f5c0a3e50b32e45355e2a7e57616be", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|372dd748571fac52c4f17a703e41f03c71f5c0a3e50b32e45355e2a7e57616be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_cargo.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_windows_package_with_prebuilt_entrypoint_and_helpers_builds_nothing` of class `SourceBinariesForTargetTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66293, "scanner": "repobility-ast-engine", "fingerprint": "7c2a9486b3eac27532cbead595cfc4b472fb899f2641c748cb604ff453c5dde1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7c2a9486b3eac27532cbead595cfc4b472fb899f2641c748cb604ff453c5dde1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_cargo.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_linux_package_with_prebuilt_entrypoint_and_bwrap_builds_nothing` of class `SourceBinariesForTargetTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66292, "scanner": "repobility-ast-engine", "fingerprint": "da4e273a4ef750f68a8de506c929e4400162e9778c82936738ce58461634ee51", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|da4e273a4ef750f68a8de506c929e4400162e9778c82936738ce58461634ee51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_cargo.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_macos_package_with_prebuilt_entrypoint_builds_nothing` of class `SourceBinariesForTargetTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66291, "scanner": "repobility-ast-engine", "fingerprint": "03ad79ca62d94b76c0901d64544fd8ecec18ba38850cccf6eaedca9b5cb46b70", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|03ad79ca62d94b76c0901d64544fd8ecec18ba38850cccf6eaedca9b5cb46b70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_cargo.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertRaisesRegex` used but never assigned in __init__: Method `test_errors_when_no_zstd_or_dotslash_manifest_is_available` of class `ResolveZstdCommandTest` reads `self.assertRaisesRegex`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66290, "scanner": "repobility-ast-engine", "fingerprint": "5bf7ee8939c3996408431b59acce6033369b26350a48f62efa09a8750704151b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5bf7ee8939c3996408431b59acce6033369b26350a48f62efa09a8750704151b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_archive.py"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_falls_back_to_dotslash_manifest` of class `ResolveZstdCommandTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66289, "scanner": "repobility-ast-engine", "fingerprint": "0458e8738dcac05ea17e956f90bca9074c6174b5e5f90f1f682d93b933bda950", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0458e8738dcac05ea17e956f90bca9074c6174b5e5f90f1f682d93b933bda950"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_archive.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_prefers_zstd_from_path` of class `ResolveZstdCommandTest` reads `self.assertEqual`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66288, "scanner": "repobility-ast-engine", "fingerprint": "977f5e91195449a818554eabc43da1c0e58440bc8b9b8aa2aa427075b9750cd6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|977f5e91195449a818554eabc43da1c0e58440bc8b9b8aa2aa427075b9750cd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_archive.py"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED106", "level": "error", "message": {"text": "[MINED106] Phantom test coverage: test_errors_when_no_zstd_or_dotslash_manifest_is_available: Test function `test_errors_when_no_zstd_or_dotslash_manifest_is_available` runs code but contains no assert / expect / should call \u2014 it passes regardless of behaviour. Adds line coverage without verifying anything."}, "properties": {"repobilityId": 66287, "scanner": "repobility-ast-engine", "fingerprint": "de2882e468444689165fa85754e427b5bc5835408eb1f7f74255592c72adea1f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "phantom-test-coverage", "owasp": null, "cwe_ids": ["CWE-1126"], "languages": ["python"], "observations_count": 982154}, "scanner": "repobility-ast-engine", "correlation_key": "fp|de2882e468444689165fa85754e427b5bc5835408eb1f7f74255592c72adea1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/test_archive.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.exe_suffix` used but never assigned in __init__: Method `rg_name` of class `TargetSpec` reads `self.exe_suffix`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66286, "scanner": "repobility-ast-engine", "fingerprint": "a7d0770b21f4e5c56d133d8e164e4fd71ccaac159bef1eee9d2a7b57d21d1fad", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a7d0770b21f4e5c56d133d8e164e4fd71ccaac159bef1eee9d2a7b57d21d1fad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/codex_package/targets.py"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_error` used but never assigned in __init__: Method `do_GET` of class `_ProxyHandler` reads `self.send_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66276, "scanner": "repobility-ast-engine", "fingerprint": "21d48665e0029187a350e676561d069e26b463aaae8bc30a19d18736740537b0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|21d48665e0029187a350e676561d069e26b463aaae8bc30a19d18736740537b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 177}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wfile` used but never assigned in __init__: Method `do_GET` of class `_ProxyHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66275, "scanner": "repobility-ast-engine", "fingerprint": "879b5259ce5bfe91c3eec35e3aeac2b23da8cce9f5a30ce3776377ef48bdfb0f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|879b5259ce5bfe91c3eec35e3aeac2b23da8cce9f5a30ce3776377ef48bdfb0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_error` used but never assigned in __init__: Method `do_GET` of class `_ProxyHandler` reads `self.send_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66274, "scanner": "repobility-ast-engine", "fingerprint": "6997117e032beeeb2f482ae4364412db7c22ed6c7075cd7247bc7fe2a0e4e446", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6997117e032beeeb2f482ae4364412db7c22ed6c7075cd7247bc7fe2a0e4e446"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_error` used but never assigned in __init__: Method `do_GET` of class `_ProxyHandler` reads `self.send_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66273, "scanner": "repobility-ast-engine", "fingerprint": "09116825182dcb59093f09316bb9a0064fe72d36e4242ba40dc24931e9e4a743", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|09116825182dcb59093f09316bb9a0064fe72d36e4242ba40dc24931e9e4a743"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `_ProxyHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66272, "scanner": "repobility-ast-engine", "fingerprint": "ac68e2bfaf71c364a09194a91f9d9595deb3f292812887fb930f19be80f86e60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ac68e2bfaf71c364a09194a91f9d9595deb3f292812887fb930f19be80f86e60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 186}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `_ProxyHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66271, "scanner": "repobility-ast-engine", "fingerprint": "3e5ed1c242fe54e3cb3e578c375d84819262ec0f4691c7f38fdadf6e302d8d03", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3e5ed1c242fe54e3cb3e578c375d84819262ec0f4691c7f38fdadf6e302d8d03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `_ProxyHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66270, "scanner": "repobility-ast-engine", "fingerprint": "5c20acc1c7c44aba38322e064c0ff97f3495fcc7f2d5aa017cb5901688418d79", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5c20acc1c7c44aba38322e064c0ff97f3495fcc7f2d5aa017cb5901688418d79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `_ProxyHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66269, "scanner": "repobility-ast-engine", "fingerprint": "84b1c25e532b0f7512b6a22417bb861d15bbee45da18dcd9956f2e758a2ebfd6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|84b1c25e532b0f7512b6a22417bb861d15bbee45da18dcd9956f2e758a2ebfd6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.path` used but never assigned in __init__: Method `do_GET` of class `_ProxyHandler` reads `self.path`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66268, "scanner": "repobility-ast-engine", "fingerprint": "bbdb92299f97161e5cb7c0fe7e358cdb285ac992e1a6c71075c5839e181be4dc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|bbdb92299f97161e5cb7c0fe7e358cdb285ac992e1a6c71075c5839e181be4dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.wfile` used but never assigned in __init__: Method `do_GET` of class `_TargetHandler` reads `self.wfile`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66267, "scanner": "repobility-ast-engine", "fingerprint": "acffe83a03706e33d10c7299e764ef9a1629ce5e1f65680f240631548a6e8caa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|acffe83a03706e33d10c7299e764ef9a1629ce5e1f65680f240631548a6e8caa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_GET` of class `_TargetHandler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66266, "scanner": "repobility-ast-engine", "fingerprint": "ed51c201005b4c9300ceff0ac9ebb89b0036b665532c3934e1cfb72a0b2a8fee", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ed51c201005b4c9300ceff0ac9ebb89b0036b665532c3934e1cfb72a0b2a8fee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `_TargetHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66265, "scanner": "repobility-ast-engine", "fingerprint": "acfe039d566ce1efb7de059936c1071bb5030766e1ce80d5d5d19cbf3f5b6047", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|acfe039d566ce1efb7de059936c1071bb5030766e1ce80d5d5d19cbf3f5b6047"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `do_GET` of class `_TargetHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66264, "scanner": "repobility-ast-engine", "fingerprint": "225a38f8425c57559491ef705cf5fec2e29cdda9297ade878996006513276e91", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|225a38f8425c57559491ef705cf5fec2e29cdda9297ade878996006513276e91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_response` used but never assigned in __init__: Method `do_GET` of class `_TargetHandler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 66263, "scanner": "repobility-ast-engine", "fingerprint": "ec97d02ade56afaca84a6e3c4b9fa228057874e954d11e5db2ecc06402a78054", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ec97d02ade56afaca84a6e3c4b9fa228057874e954d11e5db2ecc06402a78054"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/windows-sandbox-rs/sandbox_smoketests.py"}, "region": {"startLine": 152}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 66260, "scanner": "repobility-docker", "fingerprint": "12a8c3651ac8da8840bbc1cf2429f3cef5cfe984ab070b95c841be5aed9ab844", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|12a8c3651ac8da8840bbc1cf2429f3cef5cfe984ab070b95c841be5aed9ab844"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile.secure"}, "region": {"startLine": 80}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 66259, "scanner": "repobility-docker", "fingerprint": "bac37f9646da11f277c9bd6bf824b1db00a0337b744ff49af68c0587c3613c3a", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|bac37f9646da11f277c9bd6bf824b1db00a0337b744ff49af68c0587c3613c3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile.secure"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 66257, "scanner": "repobility-docker", "fingerprint": "9533848523e58b1300a8eb513b6b30c34077080c32ec4d4469775252bdbdbd6d", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9533848523e58b1300a8eb513b6b30c34077080c32ec4d4469775252bdbdbd6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 66223, "scanner": "repobility-threat-engine", "fingerprint": "b36069ca0af39160f33b8748b17e32833adff4b4f7a0a8245d7c27bec4f4d9a5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b36069ca0af39160f33b8748b17e32833adff4b4f7a0a8245d7c27bec4f4d9a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/mock_responses_websocket_server.py"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 66222, "scanner": "repobility-threat-engine", "fingerprint": "fb0a3ae49f31629965fe08073c20b3b4489f02c727e2444c24163fdb886d7b3a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fb0a3ae49f31629965fe08073c20b3b4489f02c727e2444c24163fdb886d7b3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-installer/scripts/list-skills.py"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 66221, "scanner": "repobility-threat-engine", "fingerprint": "067b7568aef29f21759aa32598872fe5a9a1383e819d6a39289386b1dbceea0f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|067b7568aef29f21759aa32598872fe5a9a1383e819d6a39289386b1dbceea0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/skills/src/assets/samples/skill-installer/scripts/install-skill-from-github.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC005", "level": "error", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 66215, "scanner": "repobility-threat-engine", "fingerprint": "4cb849cc8ca225525ac26b4a230f5aa5a8a98b268a5fb9c4a93c4b5091c4da85", "category": "injection", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Command source appears controllable (config/plugin/argv/user input)", "evidence": {"match": "exec(argv", "reason": "Command source appears controllable (config/plugin/argv/user input)", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|injection|token|41|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/linux-sandbox/src/launcher.rs"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 66210, "scanner": "repobility-threat-engine", "fingerprint": "76ca5f59de469401e37edf44e60a0c503df2e187d8b331615c4712e5222ff61c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|76ca5f59de469401e37edf44e60a0c503df2e187d8b331615c4712e5222ff61c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/linux-sandbox/src/landlock.rs"}, "region": {"startLine": 258}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 66200, "scanner": "repobility-threat-engine", "fingerprint": "9f3b706aba7cdc302bfebdd6eed6b85d0b25755e5b1213442e3468ac52e95d55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(exec_params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9f3b706aba7cdc302bfebdd6eed6b85d0b25755e5b1213442e3468ac52e95d55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/exec-server/src/server/handler/tests.rs"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 66199, "scanner": "repobility-threat-engine", "fingerprint": "dea8c45483660f6941297fcc7c6156bd1eb73fb0d56fea385336673e167936c0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dea8c45483660f6941297fcc7c6156bd1eb73fb0d56fea385336673e167936c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/exec-server/src/remote_process.rs"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 66198, "scanner": "repobility-threat-engine", "fingerprint": "09f06544fba79558e1c11e5e874aeeae4b1039783312cc9558041b3ec7eb07f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ExecCommand", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|09f06544fba79558e1c11e5e874aeeae4b1039783312cc9558041b3ec7eb07f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/cloud-tasks/src/cli.rs"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 66193, "scanner": "repobility-threat-engine", "fingerprint": "881e6bb19785d6020457e2d929287c20adc30e5f1bd5a2c5463fd40db76c9a55", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "bytes(params.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|881e6bb19785d6020457e2d929287c20adc30e5f1bd5a2c5463fd40db76c9a55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/exec-server/src/client/reqwest_http_client.rs"}, "region": {"startLine": 125}}}]}, {"ruleId": "SEC035", "level": "error", "message": {"text": "[SEC035] Unbounded Resource Allocation \u2014 DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants."}, "properties": {"repobilityId": 66192, "scanner": "repobility-threat-engine", "fingerprint": "4f564e6388c638d68155901236f5ace5779876111e3faf6388716c68448c7dad", "category": "resource_exhaustion", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Bytes(request.", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC035", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4f564e6388c638d68155901236f5ace5779876111e3faf6388716c68448c7dad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/aws-auth/src/signing.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 66190, "scanner": "repobility-threat-engine", "fingerprint": "893fe4bdc24e0c62612579044dbb18684b53e59589a7d2e98a5824bc2b26bab2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|893fe4bdc24e0c62612579044dbb18684b53e59589a7d2e98a5824bc2b26bab2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/cli/src/debug_sandbox/seatbelt.rs"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 66189, "scanner": "repobility-threat-engine", "fingerprint": "d1288bbec869c558b7bec8298b67e8873bd8f0b14e0dcc22d87f75af86d28f38", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d1288bbec869c558b7bec8298b67e8873bd8f0b14e0dcc22d87f75af86d28f38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/cli/src/debug_sandbox/pid_tracker.rs"}, "region": {"startLine": 359}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 66188, "scanner": "repobility-threat-engine", "fingerprint": "8e29910c975dd81e45453524443df241868892041351ae7e9a721c563aba357f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8e29910c975dd81e45453524443df241868892041351ae7e9a721c563aba357f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server/src/fuzzy_file_search.rs"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 66176, "scanner": "repobility-threat-engine", "fingerprint": "1257ca96f270cb31ad5dc3bacb7022861e186d5a7a573bf035671a50fb2d1568", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1257ca96f270cb31ad5dc3bacb7022861e186d5a7a573bf035671a50fb2d1568"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/connectors/src/directory_cache.rs"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 66175, "scanner": "repobility-threat-engine", "fingerprint": "03db03fab0a0f529ce868e695cf546a949ead2a0191ed97380d8a58c951cf002", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|03db03fab0a0f529ce868e695cf546a949ead2a0191ed97380d8a58c951cf002"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/codex-mcp/src/codex_apps.rs"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 66174, "scanner": "repobility-threat-engine", "fingerprint": "70bbd68d76aee61acbc46975e6aeabae0e93b71b92fbcff14b3881b232d4d8dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|70bbd68d76aee61acbc46975e6aeabae0e93b71b92fbcff14b3881b232d4d8dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/analytics/src/accepted_lines.rs"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 66172, "scanner": "repobility-threat-engine", "fingerprint": "dd83be4aa29d55ec3cb0bb5c6baff71d4bebb732b3d7623f347158bfbafc1720", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hasher.update(serialized);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd83be4aa29d55ec3cb0bb5c6baff71d4bebb732b3d7623f347158bfbafc1720"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/config/src/fingerprint.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 66171, "scanner": "repobility-threat-engine", "fingerprint": "351ebdc8681f8c3188ff8b3695a961e83fb42b4993c72db25490900d287442cb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "mac.update(payload_bytes);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|351ebdc8681f8c3188ff8b3695a961e83fb42b4993c72db25490900d287442cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/cloud-config/src/cache.rs"}, "region": {"startLine": 222}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 66170, "scanner": "repobility-threat-engine", "fingerprint": "340c47b7735dd63af2a185cef0e0fc209ae232a4232c9969c87b9edf366f75e9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hasher.update(b\"file-line-v1\\0\");", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|340c47b7735dd63af2a185cef0e0fc209ae232a4232c9969c87b9edf366f75e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/analytics/src/accepted_lines.rs"}, "region": {"startLine": 87}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 66168, "scanner": "repobility-threat-engine", "fingerprint": "8da38f567f54b0622107ab71a082b5cce13660174f06f94d2af061c334343824", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8da38f567f54b0622107ab71a082b5cce13660174f06f94d2af061c334343824"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/chatgpt/src/connectors.rs"}, "region": {"startLine": 233}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 66167, "scanner": "repobility-threat-engine", "fingerprint": "01547c42b2fbb46904f73c19b70bb7accaad4c6af75807ced0729910a153d21e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|01547c42b2fbb46904f73c19b70bb7accaad4c6af75807ced0729910a153d21e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server-transport/src/transport/remote_control/clients.rs"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 66166, "scanner": "repobility-threat-engine", "fingerprint": "fa94442f0e7c10dcc1acb5be8883dea55a930e3abf01fe554f4a63358439bca1", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fa94442f0e7c10dcc1acb5be8883dea55a930e3abf01fe554f4a63358439bca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/analytics/src/accepted_lines.rs"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66325, "scanner": "repobility-supply-chain", "fingerprint": "1a7dada4803c48ff35389dd018d9e84fa8b27046145f494883eaab2e0f5ebe97", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1a7dada4803c48ff35389dd018d9e84fa8b27046145f494883eaab2e0f5ebe97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rust-ci.yml"}, "region": {"startLine": 203}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66324, "scanner": "repobility-supply-chain", "fingerprint": "b4c518eef9cc2b5353c51168b9a03480e66ee9f592c6d0912462c2503806208f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b4c518eef9cc2b5353c51168b9a03480e66ee9f592c6d0912462c2503806208f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/v8-canary.yml"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66323, "scanner": "repobility-supply-chain", "fingerprint": "1fa26d1a5e57ec89be67e1ed1f64f05f4b3cf535e246a01296308af350129b31", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1fa26d1a5e57ec89be67e1ed1f64f05f4b3cf535e246a01296308af350129b31"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/v8-canary.yml"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66320, "scanner": "repobility-supply-chain", "fingerprint": "8df498371fb49ba34c67b45fd1541063d6de16ab5acaf6fd45b68050643693a0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8df498371fb49ba34c67b45fd1541063d6de16ab5acaf6fd45b68050643693a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66319, "scanner": "repobility-supply-chain", "fingerprint": "d985ca1a119316806ae547a7ebf44898b96d6ce2e5929781284706c3545c0be5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d985ca1a119316806ae547a7ebf44898b96d6ce2e5929781284706c3545c0be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 509}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66318, "scanner": "repobility-supply-chain", "fingerprint": "d8de0e88c148750e6bfb28ed563cfe8adb11bfadf0b43de0b32f27c77ea11ae7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d8de0e88c148750e6bfb28ed563cfe8adb11bfadf0b43de0b32f27c77ea11ae7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 464}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66317, "scanner": "repobility-supply-chain", "fingerprint": "afc8d9a5d3edb6644557b7da14ee6e776501da13dbbb4cd6ce0bb12c0a4c8563", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|afc8d9a5d3edb6644557b7da14ee6e776501da13dbbb4cd6ce0bb12c0a4c8563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 371}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66316, "scanner": "repobility-supply-chain", "fingerprint": "d084c7fde5e61dc2f455e7a8f35558119a36555274d89fdf84fbcec49b202920", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d084c7fde5e61dc2f455e7a8f35558119a36555274d89fdf84fbcec49b202920"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 284}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66315, "scanner": "repobility-supply-chain", "fingerprint": "ea3e3190f9f953c580fd8703a0eb9c78e3a46ac556ad7d5cbc2d035d6c143547", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ea3e3190f9f953c580fd8703a0eb9c78e3a46ac556ad7d5cbc2d035d6c143547"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BUILDBUDDY_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BUILDBUDDY_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66314, "scanner": "repobility-supply-chain", "fingerprint": "e368983b23fdc51a7c41dbbc5161000a05e801d9014816a78c25ee24aae968de", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e368983b23fdc51a7c41dbbc5161000a05e801d9014816a78c25ee24aae968de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bazel.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 66214, "scanner": "repobility-threat-engine", "fingerprint": "ea17fc81b2ed254b6e40328d9e31fb868a74ce921ad7fb669c5a80dc5b0f420e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea17fc81b2ed254b6e40328d9e31fb868a74ce921ad7fb669c5a80dc5b0f420e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/feedback/src/feedback_diagnostics.rs"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 66187, "scanner": "repobility-threat-engine", "fingerprint": "f722e774b819137aeed5f70c16b12f247fcf91837228e598b830bfdecb30b1d7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f722e774b819137aeed5f70c16b12f247fcf91837228e598b830bfdecb30b1d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/memories/write/src/prompts.rs"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 66186, "scanner": "repobility-threat-engine", "fingerprint": "4ff2877a2ab0d42c94a3212613096281a416095394010e65dfbe70716db52eb4", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4ff2877a2ab0d42c94a3212613096281a416095394010e65dfbe70716db52eb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "codex-rs/app-server/src/app_server_tracing.rs"}, "region": {"startLine": 68}}}]}]}]}