{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "AI-assisted edits often create a new sibling file instead of integrating the change into the existing module. That leaves two paths for future maintainers to understand and can hide the code that is actually wired into the app."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Repositories with several agent instruction, progress, or completion marker files are often generated scaffolds. They are not automatically wrong, but they deserve a reachability and ownership review before users treat the code as production-ready."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 23 more): Same pattern found in 23 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `testing` pulled from URL/Git: `devDependencies.testing` = `link:@apollo/client/testing` byp", "shortDescription": {"text": "[MINED122] package.json dep `testing` pulled from URL/Git: `devDependencies.testing` = `link:@apollo/client/testing` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is comp"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN009", "name": "Secret-like setting is echoed into a password input value", "shortDescription": {"text": "Secret-like setting is echoed into a password input value"}, "fullDescription": {"text": "Settings screens sometimes render API keys, tokens, or passwords back into HTML/JSX password fields. That still exposes the secret to page source, browser extensions, screenshots, and DOM scraping."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.83, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . sends the full build context to Docker. Without .dockerignore this can include secrets, git history, and local artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Piping downloaded code directly into a shell bypasses checksum verification and makes builds dependent on mutable remote content."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_re", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_SECRET_ACCESS_KEY }` lets a PR from any fork exfil"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/235"}, "properties": {"repository": "erxes/erxes", "repoUrl": "https://github.com/erxes/erxes", "branch": "main"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 46058, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 46053, "scanner": "repobility-threat-engine", "fingerprint": "a213b2d10e13537ed0ee0e2f0456007598e257ea8a4468b66c4e061684695226", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n    return null;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a213b2d10e13537ed0ee0e2f0456007598e257ea8a4468b66c4e061684695226"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/app/(main)/report/utils/date.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 46051, "scanner": "repobility-threat-engine", "fingerprint": "2285713e85caf2db2ab537d649ef0dcc7ada3174937fa24c62526a57fba2fed9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|apps/posclient-front/app/ main /report/utils/date.ts|12|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/app/(main)/report/utils/date.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 7636, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 7635, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 7629, "scanner": "repobility-journey-contract", "fingerprint": "4a3cb0cc81fab2761a2af7e4e1572aec853cc7b06440e3d00027d34d3bb18018", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/unfetch-order-info", "correlation_key": "fp|4a3cb0cc81fab2761a2af7e4e1572aec853cc7b06440e3d00027d34d3bb18018", "backend_endpoint_count": 1}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/plugins/sales_api/src/routes.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 7627, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 1, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 7626, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js", "GraphQL"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 7625, "scanner": "repobility-docker", "fingerprint": "82bda3188b099f279c77d8fd3bf65f7fdd6220c83e726c02c82cabc0fd8353dd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|82bda3188b099f279c77d8fd3bf65f7fdd6220c83e726c02c82cabc0fd8353dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/core-ui/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 7623, "scanner": "repobility-docker", "fingerprint": "285c34d5870d9de156394b094e9d5b7f63f77a55ed6ead706be90497342b9366", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-bookworm", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|285c34d5870d9de156394b094e9d5b7f63f77a55ed6ead706be90497342b9366"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/gateway/Dockerfile"}, "region": {"startLine": 61}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 7620, "scanner": "repobility-docker", "fingerprint": "c8daaf157cfac1be0a7ce9eb1830eeff3c6dbf7409faa4dd3f86f5bfa78255ad", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c8daaf157cfac1be0a7ce9eb1830eeff3c6dbf7409faa4dd3f86f5bfa78255ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 7618, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 7617, "scanner": "repobility-docker", "fingerprint": "b8c92b83a98eaaf9d742232a20da06361194ba61881fe940b3f89041702b15f3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b8c92b83a98eaaf9d742232a20da06361194ba61881fe940b3f89041702b15f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 7615, "scanner": "repobility-threat-engine", "fingerprint": "184fa686b4079738a5b5fac3f0c85066b8367b4f1db32347644951d7b71d037b", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "Password = '<redacted>'", "reason": "Low entropy value (3.3 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|1|password redacted", "duplicate_count": 1, "duplicate_rule_ids": ["SEC001"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["102aee41c15536cad32d3cd3ec43b8b759240e7f824bc25c5df364ee05ec0159", "184fa686b4079738a5b5fac3f0c85066b8367b4f1db32347644951d7b71d037b"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/core-ui/src/modules/types/paths/AppPath.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7612, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d2b9f993572a2a1c0c9553b3d6236c2f42403245d2f780fc3e26cf726102a3db", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/posclient-front/modules/products/components/productItem/productItem.coffeeShop.tsx", "duplicate_line": 154, "correlation_key": "fp|d2b9f993572a2a1c0c9553b3d6236c2f42403245d2f780fc3e26cf726102a3db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/modules/products/components/productItem/productItem.main.tsx"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7611, "scanner": "repobility-ai-code-hygiene", "fingerprint": "73cc193153178c6861436a549badf853749bce66df3e7a518a69269da102bf1f", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/posclient-front/modules/checkout/hooks/useCapitron.tsx", "duplicate_line": 1, "correlation_key": "fp|73cc193153178c6861436a549badf853749bce66df3e7a518a69269da102bf1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/modules/checkout/hooks/useTDB.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7610, "scanner": "repobility-ai-code-hygiene", "fingerprint": "651cc3a0f5a93f10feb7a77e1251e8c2ec9d12a9bd36877bf631433982165b0d", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/posclient-front/modules/checkout/components/paymentType/selectPaymentType.main.tsx", "duplicate_line": 31, "correlation_key": "fp|651cc3a0f5a93f10feb7a77e1251e8c2ec9d12a9bd36877bf631433982165b0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/modules/checkout/components/paymentType/selectPaymentType.market.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "warning", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7602, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e1fdd9e526378ebd605da92a38c594973dd26fe313366291d5928a163a6b99d7", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/frontline-widgets/src/app/form/index.tsx", "duplicate_line": 86, "correlation_key": "fp|e1fdd9e526378ebd605da92a38c594973dd26fe313366291d5928a163a6b99d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/form/live-form.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 7600, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c1551e688f9d6f86fc498ab4b2f01f7ee2da5cdc089914bdd76331a452662b28", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "new", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "frontend/libs/erxes-ui/src/components/upload.tsx", "correlation_key": "fp|c1551e688f9d6f86fc498ab4b2f01f7ee2da5cdc089914bdd76331a452662b28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/libs/erxes-ui/src/components/upload-new.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 46059, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d435c21fa5d445cdd9ea3d944299f93fe29e2b1c9a2a09c81b0ebed0d2667a5e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/frontline-widgets/src/app/form/index.tsx", "duplicate_line": 93, "correlation_key": "fp|d435c21fa5d445cdd9ea3d944299f93fe29e2b1c9a2a09c81b0ebed0d2667a5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/form/live-form.tsx"}, "region": {"startLine": 55}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 7634, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 7633, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 7632, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 7631, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 7628, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js", "GraphQL"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 7621, "scanner": "repobility-docker", "fingerprint": "2bfb016b2f43ac630d580499027415e3efd346913b72015d51c96c9ee6a128c5", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2bfb016b2f43ac630d580499027415e3efd346913b72015d51c96c9ee6a128c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/gateway/Dockerfile"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7609, "scanner": "repobility-ai-code-hygiene", "fingerprint": "190c59aeff133889fbd09c987d1950d169b77f1a68216243a38ce2523a891f7b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/posclient-front/modules/auth/components/login.tsx", "duplicate_line": 2, "correlation_key": "fp|190c59aeff133889fbd09c987d1950d169b77f1a68216243a38ce2523a891f7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/modules/auth/configsFetch.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7608, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fab1346122134a7583103ce6273f8388b1a57f82999057b9d14f791dcd88409b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/posclient-front/modules/apolloClient.tsx", "duplicate_line": 18, "correlation_key": "fp|fab1346122134a7583103ce6273f8388b1a57f82999057b9d14f791dcd88409b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/modules/apolloClientMain.tsx"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7607, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c42c5d299312b4f37ecabd6c9951d6cc0501e2f2cf2494630467756a73939690", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/posclient-front/app/(main)/cover/components/capitron.tsx", "duplicate_line": 22, "correlation_key": "fp|c42c5d299312b4f37ecabd6c9951d6cc0501e2f2cf2494630467756a73939690"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/app/(main)/cover/components/tdb.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7606, "scanner": "repobility-ai-code-hygiene", "fingerprint": "498afc781b38f25051882d454ffa47b0a0ffde772d91ecafe5e64b93f908b12c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/frontline-widgets/src/index.ts", "duplicate_line": 242, "correlation_key": "fp|498afc781b38f25051882d454ffa47b0a0ffde772d91ecafe5e64b93f908b12c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/messengerBundle.js"}, "region": {"startLine": 116}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7605, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3001598684de88f0f4a4d99209e9cf121d99c50ef37aaed4649cea9014bfa83", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/frontline-widgets/src/messenger-widget.js", "duplicate_line": 3, "correlation_key": "fp|d3001598684de88f0f4a4d99209e9cf121d99c50ef37aaed4649cea9014bfa83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/messengerBundle.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7604, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2ac0de0d6e081231c18eb30a2455e1e42a623f845e60b105031e12f001478e04", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/frontline-widgets/src/index.ts", "duplicate_line": 242, "correlation_key": "fp|2ac0de0d6e081231c18eb30a2455e1e42a623f845e60b105031e12f001478e04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/messenger-widget.js"}, "region": {"startLine": 254}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 7603, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1c124800c39354a7b64cc46182d31248de1bfc06eb4dbbd9f67034e443736271", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/frontline-widgets/src/app/messenger/graphql/mutations.ts", "duplicate_line": 98, "correlation_key": "fp|1c124800c39354a7b64cc46182d31248de1bfc06eb4dbbd9f67034e443736271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/messenger/ticket/graphql/mutations.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 7601, "scanner": "repobility-ai-code-hygiene", "fingerprint": "533d3f76ac1c9b94285e13321e06c9bbd42fbcffe8b8e2a0c50c6469ccf74215", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "fixed", "verdict": "needs_review", "isResolved": true, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "new", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|533d3f76ac1c9b94285e13321e06c9bbd42fbcffe8b8e2a0c50c6469ccf74215"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/libs/erxes-ui/src/hooks/use-upload-new.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 7599, "scanner": "repobility-ai-code-hygiene", "fingerprint": "637be4b7d792540c9eb7ec6ecee111643252bb60385776703cb965bcde5506e0", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": [".cursorrules", "AGENTS.md", "CLAUDE.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|637be4b7d792540c9eb7ec6ecee111643252bb60385776703cb965bcde5506e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cursorrules"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 46056, "scanner": "repobility-threat-engine", "fingerprint": "4be77f4afa74bb178f9481004d122de7d1886d8125007d6d734fe7d5b72c97a8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4be77f4afa74bb178f9481004d122de7d1886d8125007d6d734fe7d5b72c97a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/app/reciept/cover/page.tsx"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 46055, "scanner": "repobility-threat-engine", "fingerprint": "08c82a6b07648e8dc9352d663a1287f34219ebece235448b9bdb3d3e63ed6b10", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|08c82a6b07648e8dc9352d663a1287f34219ebece235448b9bdb3d3e63ed6b10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/app/reciept/components/header.tsx"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 46054, "scanner": "repobility-threat-engine", "fingerprint": "0bcafabbdbf1a8b1f7659770f15ed379f303856fe66a3e847e955c7182a0448f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0bcafabbdbf1a8b1f7659770f15ed379f303856fe66a3e847e955c7182a0448f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/app/reciept/components/footer.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 46050, "scanner": "repobility-threat-engine", "fingerprint": "3a22ac02b2baf370d83ba17a8bec43c4e714d3f46e5467e1b51a8599f7854e5a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3a22ac02b2baf370d83ba17a8bec43c4e714d3f46e5467e1b51a8599f7854e5a", "aggregated_count": 1}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46049, "scanner": "repobility-threat-engine", "fingerprint": "27e329f0a389879f3312124896c49d34bae3dc937025fc57a937ffaef8441513", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27e329f0a389879f3312124896c49d34bae3dc937025fc57a937ffaef8441513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/components/ui/button.tsx"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46048, "scanner": "repobility-threat-engine", "fingerprint": "12fd379e8b18ce6bb80b11b1d48f1784cd26c88435502ff0baa6e1121ede0f72", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12fd379e8b18ce6bb80b11b1d48f1784cd26c88435502ff0baa6e1121ede0f72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/app/(main)/(orders)/components/progress/ActiveOrderItem.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 46047, "scanner": "repobility-threat-engine", "fingerprint": "37b3ef207cce84c00d6b99e6b6258dfda2ad72d58bca78eacca8e108fb11705f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37b3ef207cce84c00d6b99e6b6258dfda2ad72d58bca78eacca8e108fb11705f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/formIndex.ts"}, "region": {"startLine": 347}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46046, "scanner": "repobility-threat-engine", "fingerprint": "1fb021b957f617bfff3aa1a7839406335ec42691d82d3b8ab4830a82d1c28a2a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1fb021b957f617bfff3aa1a7839406335ec42691d82d3b8ab4830a82d1c28a2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/app/(main)/report/components/form.tsx"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 46045, "scanner": "repobility-threat-engine", "fingerprint": "98c04b644c761d4267cb00f7868561d042fce079a361993e2c96be887addde63", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|98c04b644c761d4267cb00f7868561d042fce079a361993e2c96be887addde63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/messenger/hooks/useSaveBrowserInfo.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 46044, "scanner": "repobility-threat-engine", "fingerprint": "21ed80a5ddd021c94a20eb62cddc1b0c5075df63c6fe0fac4807d3c18a53bcad", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|21ed80a5ddd021c94a20eb62cddc1b0c5075df63c6fe0fac4807d3c18a53bcad", "aggregated_count": 4}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46043, "scanner": "repobility-threat-engine", "fingerprint": "c701e1963e08272c79d386276f2a8e4ff816643fda41bb3439abec6771e69d20", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c701e1963e08272c79d386276f2a8e4ff816643fda41bb3439abec6771e69d20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/messenger/hooks/useTicketsForm.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46042, "scanner": "repobility-threat-engine", "fingerprint": "495fa64a97b20b0eda2c9a8516079a56e8ea73a739bb03417d887befcf411137", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|495fa64a97b20b0eda2c9a8516079a56e8ea73a739bb03417d887befcf411137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/messenger/hooks/useConversationDetail.tsx"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 46041, "scanner": "repobility-threat-engine", "fingerprint": "5d9ecd67ce2f57b21b56f574b3e2912a4b916272a6fc823c727b1a0c477f2945", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d9ecd67ce2f57b21b56f574b3e2912a4b916272a6fc823c727b1a0c477f2945"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/messenger/components/header-tab-item.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 46040, "scanner": "repobility-threat-engine", "fingerprint": "da09a0e109d8491397c79f85ac498a8a3f321cda8bb454968b775da40d045a81", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|da09a0e109d8491397c79f85ac498a8a3f321cda8bb454968b775da40d045a81", "aggregated_count": 7}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 46039, "scanner": "repobility-threat-engine", "fingerprint": "3d99f20e9c1a11a1487f27d3dd8f0427937d28955971b520e5aeb5423c1b5501", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d99f20e9c1a11a1487f27d3dd8f0427937d28955971b520e5aeb5423c1b5501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/messenger/components/persistent-menu.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 46038, "scanner": "repobility-threat-engine", "fingerprint": "8fd53aaf9332c1b23af2a248998ccefe5b07268e005ebc4e2dc4d06b0fb41c96", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8fd53aaf9332c1b23af2a248998ccefe5b07268e005ebc4e2dc4d06b0fb41c96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/messenger/components/avatar-group.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 46037, "scanner": "repobility-threat-engine", "fingerprint": "887ce880b55159319d6fa40439dc17b3843172ae2443ce240d9e74386780b04a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|887ce880b55159319d6fa40439dc17b3843172ae2443ce240d9e74386780b04a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/form/components/steps.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 46035, "scanner": "repobility-threat-engine", "fingerprint": "fc5439134b90b1660bbba9620be873a5242a183186b17f5659a193d4c34558c2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fc5439134b90b1660bbba9620be873a5242a183186b17f5659a193d4c34558c2", "aggregated_count": 23}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46034, "scanner": "repobility-threat-engine", "fingerprint": "23281589b4c471fabbbf9f83d6e44fdc3e28297366c6623cfa998565fc511cd7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|23281589b4c471fabbbf9f83d6e44fdc3e28297366c6623cfa998565fc511cd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/messenger/hooks/useWidgetNotifications.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46033, "scanner": "repobility-threat-engine", "fingerprint": "6d4b00a8a5d63a8238aa743a8498da739c2d261bd56454f7c403ce56153fa835", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6d4b00a8a5d63a8238aa743a8498da739c2d261bd56454f7c403ce56153fa835"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/form/types/formTypes.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 46032, "scanner": "repobility-threat-engine", "fingerprint": "6176d428e0c6694d14cab94f9194ba95cd53ec0736793d98fdaef0dfecbdfd96", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6176d428e0c6694d14cab94f9194ba95cd53ec0736793d98fdaef0dfecbdfd96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/rspack.config.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7614, "scanner": "repobility-threat-engine", "fingerprint": "8896aebc02b318c777fb51d8fd82c98f282ffd773ea2ffd253adbb344c1bba77", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|18|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/core-ui/src/modules/settings/tags/components/TagsListRowForm.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 7613, "scanner": "repobility-threat-engine", "fingerprint": "724a3763e34245a763597377daf9fa00ad023b65f5248040415f0d3dd11d113b", "category": "crypto", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "code|crypto|token|23|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/core-ui/src/providers/apollo-provider/apolloClient.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46133, "scanner": "repobility-supply-chain", "fingerprint": "abd36f04b45b7e6e8fd74dc3d8c00a129352d8a221bdf2ddb6f7b7dfbc4399d4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|abd36f04b45b7e6e8fd74dc3d8c00a129352d8a221bdf2ddb6f7b7dfbc4399d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-operation.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46130, "scanner": "repobility-supply-chain", "fingerprint": "f39f34e8f5b569eae34bc13cb397335f85b07ff166e9952731d5d29c1dcf7347", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f39f34e8f5b569eae34bc13cb397335f85b07ff166e9952731d5d29c1dcf7347"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-frontline.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46129, "scanner": "repobility-supply-chain", "fingerprint": "df0bc03c5365d84c8e60284d60f20412c9493f24c7950b367d0928b9ecd59379", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df0bc03c5365d84c8e60284d60f20412c9493f24c7950b367d0928b9ecd59379"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-frontline.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46128, "scanner": "repobility-supply-chain", "fingerprint": "cc39abb528de15be0a3040079c5749c08fcf4183823903916b6be936eae18831", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc39abb528de15be0a3040079c5749c08fcf4183823903916b6be936eae18831"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-frontline.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46120, "scanner": "repobility-supply-chain", "fingerprint": "32735772b0293831797edbda67ac8aa63cb222dda7b17534bd551955674922c6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|32735772b0293831797edbda67ac8aa63cb222dda7b17534bd551955674922c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-tourism.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46117, "scanner": "repobility-supply-chain", "fingerprint": "350e8aa83c4918659502c70c56888af31f8491d35e30c0ea23e181fcfb1ac410", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|350e8aa83c4918659502c70c56888af31f8491d35e30c0ea23e181fcfb1ac410"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-tourism.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46116, "scanner": "repobility-supply-chain", "fingerprint": "1ac7c1a0799410360c2da5dcfe48eadead408962c1f9ebcc851a081f18837542", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ac7c1a0799410360c2da5dcfe48eadead408962c1f9ebcc851a081f18837542"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-tourism.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46112, "scanner": "repobility-supply-chain", "fingerprint": "b14600d79b9c66d8fdaf359377c87fff05d83f0eea204fe237d76cb93fb50078", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b14600d79b9c66d8fdaf359377c87fff05d83f0eea204fe237d76cb93fb50078"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-accounting.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46111, "scanner": "repobility-supply-chain", "fingerprint": "cd16aad5db6cc8656af674d8c4261666cecf7289a6b595814f3cf14ee2b33c2f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd16aad5db6cc8656af674d8c4261666cecf7289a6b595814f3cf14ee2b33c2f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-accounting.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46110, "scanner": "repobility-supply-chain", "fingerprint": "f2b8d48d3ce2d7652e9d55b994d421b3d1bdc8841d4560eeb466bef31ddf8cb0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2b8d48d3ce2d7652e9d55b994d421b3d1bdc8841d4560eeb466bef31ddf8cb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-accounting.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46094, "scanner": "repobility-supply-chain", "fingerprint": "a344960a15d3c48e3eece649772ce7ce53d7b207938f846168de7ed9dbba7afc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a344960a15d3c48e3eece649772ce7ce53d7b207938f846168de7ed9dbba7afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-loyalty.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46093, "scanner": "repobility-supply-chain", "fingerprint": "9a76197321fd8f666f3cf09677e62e8a473a0ae962cd3af30f3e6ccaae3cd164", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a76197321fd8f666f3cf09677e62e8a473a0ae962cd3af30f3e6ccaae3cd164"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-loyalty.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46092, "scanner": "repobility-supply-chain", "fingerprint": "4b6b65d8ef8d2779c8fc19c2113f92076f07eebb2cfc85e788332330c101c3ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b6b65d8ef8d2779c8fc19c2113f92076f07eebb2cfc85e788332330c101c3ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-loyalty.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46090, "scanner": "repobility-supply-chain", "fingerprint": "a4de0d85bded06256f0ea074295a7aabb72511fb4dd74b33e13edd8c824230e3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4de0d85bded06256f0ea074295a7aabb72511fb4dd74b33e13edd8c824230e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46087, "scanner": "repobility-supply-chain", "fingerprint": "d819dc1c7d494c25a3c6b62b9723b17f53e60519bf4a2a8b0582460a0378bfe6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d819dc1c7d494c25a3c6b62b9723b17f53e60519bf4a2a8b0582460a0378bfe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-content.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46086, "scanner": "repobility-supply-chain", "fingerprint": "aa068897473da3d8c29e2dd28923c79a37e5eba426dade5cbdf47dbba8c47bf7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa068897473da3d8c29e2dd28923c79a37e5eba426dade5cbdf47dbba8c47bf7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-content.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46085, "scanner": "repobility-supply-chain", "fingerprint": "8bc672ad649b216f58232b2eed5c597363c71beb99bc9c7c01b662b6ec17f8c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8bc672ad649b216f58232b2eed5c597363c71beb99bc9c7c01b662b6ec17f8c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-content.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46081, "scanner": "repobility-supply-chain", "fingerprint": "64383332dadc27b86fd07a0ca977b150978f154594f9924e78311da058f38df1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|64383332dadc27b86fd07a0ca977b150978f154594f9924e78311da058f38df1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-apps-frontline-widgets.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v3`: `uses: github/codeql-action/analyze@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46080, "scanner": "repobility-supply-chain", "fingerprint": "232c6eeb8e1504c8a924825da0d46b91eb4e80bfe099d50ad3e1d8d03368847a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|232c6eeb8e1504c8a924825da0d46b91eb4e80bfe099d50ad3e1d8d03368847a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v3`: `uses: github/codeql-action/autobuild@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46079, "scanner": "repobility-supply-chain", "fingerprint": "9e47aca411be5e39417a6c79e15d76c1e27a78679ab8aeae79678c37f679877a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e47aca411be5e39417a6c79e15d76c1e27a78679ab8aeae79678c37f679877a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v3`: `uses: github/codeql-action/init@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46078, "scanner": "repobility-supply-chain", "fingerprint": "46a2f4ebbd100454229fa1d37d49c550d81841f12985a8d731e73aa7106831ba", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46a2f4ebbd100454229fa1d37d49c550d81841f12985a8d731e73aa7106831ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46077, "scanner": "repobility-supply-chain", "fingerprint": "bbdfc9f2715cf0c77c5a40c07eee4005136b835066051d90dece465434e90356", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bbdfc9f2715cf0c77c5a40c07eee4005136b835066051d90dece465434e90356"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46074, "scanner": "repobility-supply-chain", "fingerprint": "4e8af340a78b386752e4fff0af206439d7d96fc246fabbbf7776c0623b0f3fe9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4e8af340a78b386752e4fff0af206439d7d96fc246fabbbf7776c0623b0f3fe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-payment.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v2`: `uses: pnpm/action-setup@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46073, "scanner": "repobility-supply-chain", "fingerprint": "a1ad2fc3dde43481c063186fb1e3e028b3555a87870ddbd2085a75d722e428cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a1ad2fc3dde43481c063186fb1e3e028b3555a87870ddbd2085a75d722e428cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-payment.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 46072, "scanner": "repobility-supply-chain", "fingerprint": "a954b1a63c74b143ebd0bfdd7d1ed2a823cca2ddfd0ad974cf7998c9b0e79d48", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a954b1a63c74b143ebd0bfdd7d1ed2a823cca2ddfd0ad974cf7998c9b0e79d48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-payment.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `testing` pulled from URL/Git: `devDependencies.testing` = `link:@apollo/client/testing` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 46071, "scanner": "repobility-supply-chain", "fingerprint": "241b15cb59b058724bcd43c6c60e3f19fc8a48f6dd9903176e9c0f4bd36cafb9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|241b15cb59b058724bcd43c6c60e3f19fc8a48f6dd9903176e9c0f4bd36cafb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `js:tsc@latest` pulled from URL/Git: `devDependencies.js:tsc@latest` = `link:@nrwl/js:tsc@latest` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 46070, "scanner": "repobility-supply-chain", "fingerprint": "273aee93c707da3da1f0561d76a916c205cab9f05bc979698caa8abb031e1cb9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|273aee93c707da3da1f0561d76a916c205cab9f05bc979698caa8abb031e1cb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `bullMQAdapter` pulled from URL/Git: `dependencies.bullMQAdapter` = `link:@bull-board/api/bullMQAdapter` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 46060, "scanner": "repobility-supply-chain", "fingerprint": "d62b35e4a53872563390901e80681570880bd91d6b463c480a5848ff5c46df58", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d62b35e4a53872563390901e80681570880bd91d6b463c480a5848ff5c46df58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 46057, "scanner": "repobility-threat-engine", "fingerprint": "7e2fb3042ce1cd7d653d4c11fd559fcb6fafa8ce4fac4efbdb63d0b1d8c27d39", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "toastTimeouts.delete(toastId)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e2fb3042ce1cd7d653d4c11fd559fcb6fafa8ce4fac4efbdb63d0b1d8c27d39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/components/ui/use-toast.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 46052, "scanner": "repobility-threat-engine", "fingerprint": "faf9e66ab89e5486413ca40ae4c0c2d22dc99264db819730bcd79b10560bfaa3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(timeString", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|faf9e66ab89e5486413ca40ae4c0c2d22dc99264db819730bcd79b10560bfaa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/app/(main)/report/utils/date.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 46036, "scanner": "repobility-threat-engine", "fingerprint": "4803502cbe0f227951c99840f865f58bd0ec660ad137676d22676605ab7192fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(validator", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4803502cbe0f227951c99840f865f58bd0ec660ad137676d22676605ab7192fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/src/app/form/components/ErxesFormValues.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "JRN009", "level": "error", "message": {"text": "Secret-like setting is echoed into a password input value"}, "properties": {"repobilityId": 7630, "scanner": "repobility-journey-contract", "fingerprint": "875c1c7e72b774382c9a3118c227f6be8f10cce1a97e63258537f407276ccda5", "category": "auth", "severity": "high", "confidence": 0.83, "triageState": "fixed", "verdict": "likely", "isResolved": true, "reason": "A password or secret-named input is populated from a secret-like variable instead of a masked placeholder.", "evidence": {"rule_id": "JRN009", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|150|jrn009"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/plugins/insurance_ui/src/modules/insurance/components/VendorUserForm.tsx"}, "region": {"startLine": 150}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 7624, "scanner": "repobility-docker", "fingerprint": "bf2ea4203687e033291298d3d61b6fbf99398e5d30e4ca739bde991b0b17f2cd", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|bf2ea4203687e033291298d3d61b6fbf99398e5d30e4ca739bde991b0b17f2cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "frontend/core-ui/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 7622, "scanner": "repobility-docker", "fingerprint": "f5f868212a572e72350c37a7b9f2d421723ac5f05f0dacd51a6dac09798c4574", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f5f868212a572e72350c37a7b9f2d421723ac5f05f0dacd51a6dac09798c4574"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "backend/gateway/Dockerfile"}, "region": {"startLine": 88}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 7619, "scanner": "repobility-docker", "fingerprint": "11f580b12f9e955ead2a0207a1e81bfca890239a4100a58f14a44f14eb7f28ef", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|11f580b12f9e955ead2a0207a1e81bfca890239a4100a58f14a44f14eb7f28ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posclient-front/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 7616, "scanner": "repobility-docker", "fingerprint": "aa40c8285b52231ceb57cd1e78e557f3f93e310e58ef7556c3ff59a5c035f05c", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "fixed", "verdict": "confirmed", "isResolved": true, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aa40c8285b52231ceb57cd1e78e557f3f93e310e58ef7556c3ff59a5c035f05c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/frontline-widgets/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 7598, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46143, "scanner": "repobility-supply-chain", "fingerprint": "f302470e16f555fb215ec96b51e72afca141eb0999d4242a621b66ec2e80fe7d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f302470e16f555fb215ec96b51e72afca141eb0999d4242a621b66ec2e80fe7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-ui-payment.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AWS_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46142, "scanner": "repobility-supply-chain", "fingerprint": "39823931dee9f1c8ac619cd750ab05104e2bd3bfeeed7b55c2ab0d05ddb78598", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39823931dee9f1c8ac619cd750ab05104e2bd3bfeeed7b55c2ab0d05ddb78598"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-ui-payment.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46141, "scanner": "repobility-supply-chain", "fingerprint": "3596e91857edf0a9b072e020e9c9b61d58ac2cb8c1262091d409908761330a1b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3596e91857edf0a9b072e020e9c9b61d58ac2cb8c1262091d409908761330a1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-core-ui.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46140, "scanner": "repobility-supply-chain", "fingerprint": "21fa2ebb141c65b32ea0e8b602cd6c58df7ee8b67d531c90d82698866170d2e2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21fa2ebb141c65b32ea0e8b602cd6c58df7ee8b67d531c90d82698866170d2e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-core-ui.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46139, "scanner": "repobility-supply-chain", "fingerprint": "7cc6d71837a4cdd4b502b4c7d95292a5444afaa4d692c28594fa8c1588d896e7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7cc6d71837a4cdd4b502b4c7d95292a5444afaa4d692c28594fa8c1588d896e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-gateway.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46138, "scanner": "repobility-supply-chain", "fingerprint": "af75f8af8ef347e941bb20245337f3843b6df6be24530da80ca61c7c5dcc2f6f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|af75f8af8ef347e941bb20245337f3843b6df6be24530da80ca61c7c5dcc2f6f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-gateway.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_SECRET_ACCESS_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46137, "scanner": "repobility-supply-chain", "fingerprint": "6a3759f1952a060374cffc5a1ab3306442a35ce95e63a7c6f43b8047dcd19a75", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a3759f1952a060374cffc5a1ab3306442a35ce95e63a7c6f43b8047dcd19a75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-ui-frontline.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AWS_ACCESS_KEY_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AWS_ACCESS_KEY_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46136, "scanner": "repobility-supply-chain", "fingerprint": "50ce83a43a12f9d3e42652745f514b881bd9e804fe6e0011c88cfd6ceae17ce9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50ce83a43a12f9d3e42652745f514b881bd9e804fe6e0011c88cfd6ceae17ce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-ui-frontline.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46135, "scanner": "repobility-supply-chain", "fingerprint": "b5fedf31636f26d43f83e4763e74e9e297e991bdcef33c9719bc99c5afc6cafc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b5fedf31636f26d43f83e4763e74e9e297e991bdcef33c9719bc99c5afc6cafc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-operation.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46134, "scanner": "repobility-supply-chain", "fingerprint": "3c4839257a171ebf24f93ed65d2d247aa0e3b188d6a88db998a0def0450d04ce", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3c4839257a171ebf24f93ed65d2d247aa0e3b188d6a88db998a0def0450d04ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-operation.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46132, "scanner": "repobility-supply-chain", "fingerprint": "7b60cb1594c8b5ed8a5efe4669c4a624dd322bd3328d8573f2cd4c790371fb4e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b60cb1594c8b5ed8a5efe4669c4a624dd322bd3328d8573f2cd4c790371fb4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-frontline.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46131, "scanner": "repobility-supply-chain", "fingerprint": "89386f3f139a1336bd4b9036a82cda874a8d3d61835f014c350711c78dd1acbb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89386f3f139a1336bd4b9036a82cda874a8d3d61835f014c350711c78dd1acbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-frontline.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46125, "scanner": "repobility-supply-chain", "fingerprint": "16fa35f6d8493aa7ef21a83fa5cbbaac0fa93b4c5b494bfe65e8eb1d7f68ba92", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|16fa35f6d8493aa7ef21a83fa5cbbaac0fa93b4c5b494bfe65e8eb1d7f68ba92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-tourism.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46122, "scanner": "repobility-supply-chain", "fingerprint": "f64e343ad59b2364611184f4fdf13f6c7cd90c40eb982d526541140c797e6ca1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f64e343ad59b2364611184f4fdf13f6c7cd90c40eb982d526541140c797e6ca1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-tourism.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46114, "scanner": "repobility-supply-chain", "fingerprint": "030145f82a9e1710a74e483fbeed7987ebbcdff0a0ef115d35e7226f503df1bc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|030145f82a9e1710a74e483fbeed7987ebbcdff0a0ef115d35e7226f503df1bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-accounting.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46113, "scanner": "repobility-supply-chain", "fingerprint": "315e4acfdea9e93cb4670af2bd9304477eee7221e22dedd7a3b1caf3e08cf327", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|315e4acfdea9e93cb4670af2bd9304477eee7221e22dedd7a3b1caf3e08cf327"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-accounting.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46109, "scanner": "repobility-supply-chain", "fingerprint": "3963bb06b8454966568f5cf04ced148f6b441ad75a3fea72ebb0de5dec0e6d09", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3963bb06b8454966568f5cf04ced148f6b441ad75a3fea72ebb0de5dec0e6d09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-loyalty.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46108, "scanner": "repobility-supply-chain", "fingerprint": "d9c2a34362b23cb0d79ca53af17fa24f6e72918647784bab78659682f70fb2eb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9c2a34362b23cb0d79ca53af17fa24f6e72918647784bab78659682f70fb2eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-loyalty.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ANTHROPIC_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ANTHROPIC_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46091, "scanner": "repobility-supply-chain", "fingerprint": "7178aae44111b2743e07a1e3a7d85b0b7facb1fb439c45f782a6568916144bf1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7178aae44111b2743e07a1e3a7d85b0b7facb1fb439c45f782a6568916144bf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46089, "scanner": "repobility-supply-chain", "fingerprint": "be77041006c06e23edfe0f22aeaaa00c8ffea993fc6ef9fdcf2856530ada7f59", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be77041006c06e23edfe0f22aeaaa00c8ffea993fc6ef9fdcf2856530ada7f59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-content.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46088, "scanner": "repobility-supply-chain", "fingerprint": "59f8dafe3119a536a159311eb2d51bc954c2fcaab097c556d6f92bce7fe0e939", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|59f8dafe3119a536a159311eb2d51bc954c2fcaab097c556d6f92bce7fe0e939"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-content.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46084, "scanner": "repobility-supply-chain", "fingerprint": "9a2dbce0ed44b4a059c565c26e378eb10faf5bede999485b74d6957615c1b144", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9a2dbce0ed44b4a059c565c26e378eb10faf5bede999485b74d6957615c1b144"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-apps-frontline-widgets.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46082, "scanner": "repobility-supply-chain", "fingerprint": "1b1b298588ada0884f0c53413ef8565674e1c1d74eb85ef5a12d5ec44392c8fd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b1b298588ada0884f0c53413ef8565674e1c1d74eb85ef5a12d5ec44392c8fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-apps-frontline-widgets.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46076, "scanner": "repobility-supply-chain", "fingerprint": "7723cf2e6dd1db7707a7a2544cd91a88e7d88af642ddbb9d649cd3221354207a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7723cf2e6dd1db7707a7a2544cd91a88e7d88af642ddbb9d649cd3221354207a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-payment.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 46075, "scanner": "repobility-supply-chain", "fingerprint": "dcc4f9fa04b0f11235a3a3dbf38ec4cd1b34bc9ae623a5c4d7cba4c184563663", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dcc4f9fa04b0f11235a3a3dbf38ec4cd1b34bc9ae623a5c4d7cba4c184563663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci-api-payment.yml"}, "region": {"startLine": 61}}}]}]}]}