{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-2f9f-gq7v-9h6m", "name": "thrift: GHSA-2f9f-gq7v-9h6m", "shortDescription": {"text": "thrift: GHSA-2f9f-gq7v-9h6m"}, "fullDescription": {"text": "Apache Thrift has a Memory Allocation with Excessive Size Value Vulnerability"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-3pv8-6f4r-ffg2", "name": "tar: GHSA-3pv8-6f4r-ffg2", "shortDescription": {"text": "tar: GHSA-3pv8-6f4r-ffg2"}, "fullDescription": {"text": "tar has a PAX header desynchronization issue"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xv59-967r-8726", "name": "openssl: GHSA-xv59-967r-8726", "shortDescription": {"text": "openssl: GHSA-xv59-967r-8726"}, "fullDescription": {"text": "rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-phqj-4mhp-q6mq", "name": "openssl: GHSA-phqj-4mhp-q6mq", "shortDescription": {"text": "openssl: GHSA-phqj-4mhp-q6mq"}, "fullDescription": {"text": "rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `paradedb` image uses the latest tag", "shortDescription": {"text": "Compose service `paradedb` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "When dependency installation comes after COPY ., any source change invalidates the dependency layer and makes Docker rebuild much more slowly."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC003", "name": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.", "shortDescription": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "fullDescription": {"text": "Never commit secrets. Use .env files with .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Agent helper projects often publish one-line installers. `curl | sh` style commands are convenient, but they bypass review unless the script is pinned, signed, or checksum-verified."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `process_doc` has cognitive complexity 10 (SonarSource scale). Cognitive c", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `process_doc` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion a"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 10."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED066", "name": "[MINED066] Rust Panic Macro (and 28 more): Same pattern found in 28 additional files. Review if needed.", "shortDescription": {"text": "[MINED066] Rust Panic Macro (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED059", "name": "[MINED059] Rust Expect In Prod (and 42 more): Same pattern found in 42 additional files. Review if needed.", "shortDescription": {"text": "[MINED059] Rust Expect In Prod (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED068", "name": "[MINED068] Rust Unsafe Block (and 45 more): Same pattern found in 45 additional files. Review if needed.", "shortDescription": {"text": "[MINED068] Rust Unsafe Block (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-119 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 39 more): Same pattern found in 39 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC022", "name": "[SEC022] Database URL With Embedded Credential (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[SEC022] Database URL With Embedded Credential (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Remove the embedded password, require the URL from a secret store or environment variable, and rotate the database credential."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2021-0127", "name": "serde_cbor: RUSTSEC-2021-0127", "shortDescription": {"text": "serde_cbor: RUSTSEC-2021-0127"}, "fullDescription": {"text": "serde_cbor is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2023-0071", "name": "rsa: RUSTSEC-2023-0071", "shortDescription": {"text": "rsa: RUSTSEC-2023-0071"}, "fullDescription": {"text": "Marvin Attack: potential key recovery through timing sidechannels"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0436", "name": "paste: RUSTSEC-2024-0436", "shortDescription": {"text": "paste: RUSTSEC-2024-0436"}, "fullDescription": {"text": "paste - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-xp3w-r5p5-63rr", "name": "openssl: GHSA-xp3w-r5p5-63rr", "shortDescription": {"text": "openssl: GHSA-xp3w-r5p5-63rr"}, "fullDescription": {"text": "rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2024-0384", "name": "instant: RUSTSEC-2024-0384", "shortDescription": {"text": "instant: RUSTSEC-2024-0384"}, "fullDescription": {"text": "`instant` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0057", "name": "fxhash: RUSTSEC-2025-0057", "shortDescription": {"text": "fxhash: RUSTSEC-2025-0057"}, "fullDescription": {"text": "fxhash - no longer maintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2021-0153", "name": "encoding: RUSTSEC-2021-0153", "shortDescription": {"text": "encoding: RUSTSEC-2021-0153"}, "fullDescription": {"text": "`encoding` is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0141", "name": "bincode: RUSTSEC-2025-0141", "shortDescription": {"text": "bincode: RUSTSEC-2025-0141"}, "fullDescription": {"text": "Bincode is unmaintained"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "RUSTSEC-2025-0052", "name": "async-std: RUSTSEC-2025-0052", "shortDescription": {"text": "async-std: RUSTSEC-2025-0052"}, "fullDescription": {"text": "async-std has been discontinued"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED039", "name": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path.", "shortDescription": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED041", "name": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.", "shortDescription": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `redhat/ubi9:latest` unpinned", "shortDescription": {"text": "Workflow container/services image `redhat/ubi9:latest` unpinned"}, "fullDescription": {"text": "`container/services image: redhat/ubi9:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/create-github-app-token` pinned to mutable ref `@v3`", "shortDescription": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v3`"}, "fullDescription": {"text": "`uses: actions/create-github-app-token@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `postgres:18-trixie` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `postgres:18-trixie` not pinned by digest"}, "fullDescription": {"text": "`FROM postgres:18-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/ComPWA/taplo-pre-commit` pinned to mutable rev `v0.9.3`", "shortDescription": {"text": "pre-commit hook `https://github.com/ComPWA/taplo-pre-commit` pinned to mutable rev `v0.9.3`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/ComPWA/taplo-pre-commit` at `rev: v0.9.3`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Literal secrets in Compose files are committed to source and exposed through container inspection."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED013", "name": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages.", "shortDescription": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-200 / A07:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.SLACK_BENCHMARKS_CHANNEL_ID` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.SLACK_BENCHMARKS_CHANNEL_ID` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SLACK_BENCHMARKS_CHANNEL_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1113"}, "properties": {"repository": "paradedb/paradedb", "repoUrl": "https://github.com/paradedb/paradedb", "branch": "main"}, "results": [{"ruleId": "GHSA-2f9f-gq7v-9h6m", "level": "warning", "message": {"text": "thrift: GHSA-2f9f-gq7v-9h6m"}, "properties": {"repobilityId": 110183, "scanner": "osv-scanner", "fingerprint": "355ac4f2e35b1605c976d178c24aa33057e46664cbb7fa5fe562173d72c26780", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-thrift-2026-43868", "CVE-2026-43868"], "package": "thrift", "rule_id": "GHSA-2f9f-gq7v-9h6m", "scanner": "osv-scanner", "correlation_key": "vuln|thrift|CVE-2026-43868|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-3pv8-6f4r-ffg2", "level": "warning", "message": {"text": "tar: GHSA-3pv8-6f4r-ffg2"}, "properties": {"repobilityId": 110182, "scanner": "osv-scanner", "fingerprint": "9cd1204918222b95ec0d08856c831b55ba7644607d596b5a5ad4ea9f50231490", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "tar", "rule_id": "GHSA-3pv8-6f4r-ffg2", "scanner": "osv-scanner", "correlation_key": "vuln|tar|GHSA-3PV8-6F4R-FFG2|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xv59-967r-8726", "level": "warning", "message": {"text": "openssl: GHSA-xv59-967r-8726"}, "properties": {"repobilityId": 110178, "scanner": "osv-scanner", "fingerprint": "40f7a69afef8f05b62f850cc1a053fe6e15a2035daedd2be3c02e1fc04ce060b", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-44662"], "package": "openssl", "rule_id": "GHSA-xv59-967r-8726", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-44662|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-phqj-4mhp-q6mq", "level": "warning", "message": {"text": "openssl: GHSA-phqj-4mhp-q6mq"}, "properties": {"repobilityId": 110176, "scanner": "osv-scanner", "fingerprint": "e7d9444dd05c6f7db70b4bbdd19e857b94c64c61212cc0633fa15cbc0de69929", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-45784"], "package": "openssl", "rule_id": "GHSA-phqj-4mhp-q6mq", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-45784|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `paradedb` image uses the latest tag"}, "properties": {"repobilityId": 110153, "scanner": "repobility-docker", "fingerprint": "979d22a432438aa5c9bf18dce5872a18cf8fe820a57c87969e63a849599c63f4", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "paradedb/paradedb:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|979d22a432438aa5c9bf18dce5872a18cf8fe820a57c87969e63a849599c63f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110152, "scanner": "repobility-docker", "fingerprint": "f83b9ca1190bf33755865e44f016bbdfc428d136a93e34075b74281384f3c1f0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:@@PG_VERSION_MAJOR@@-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f83b9ca1190bf33755865e44f016bbdfc428d136a93e34075b74281384f3c1f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.template"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 110151, "scanner": "repobility-docker", "fingerprint": "23cc3a84ac5b8d4b17287deaf474a7d3ca17b15a276f39b4c93dd43244345345", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 38 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 38, "correlation_key": "fp|23cc3a84ac5b8d4b17287deaf474a7d3ca17b15a276f39b4c93dd43244345345", "dependency_install_line": 53}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.stressgres"}, "region": {"startLine": 53}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 110150, "scanner": "repobility-docker", "fingerprint": "435eed0d96a42a48e558628777892c0d606b8c065f2a89945f9fd3ddd77f6599", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|435eed0d96a42a48e558628777892c0d606b8c065f2a89945f9fd3ddd77f6599", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.stressgres"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 110149, "scanner": "repobility-docker", "fingerprint": "9402bceab8fdb542a398229f5f25ccca23363c8f255f95b4a69ef4a920222113", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 37 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 37, "correlation_key": "fp|9402bceab8fdb542a398229f5f25ccca23363c8f255f95b4a69ef4a920222113", "dependency_install_line": 54}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.proptests"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 110148, "scanner": "repobility-docker", "fingerprint": "f597758231ba5a619087fe7e4208589bcc4cfd72dac813ac0ffeb8ab9442ccb8", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f597758231ba5a619087fe7e4208589bcc4cfd72dac813ac0ffeb8ab9442ccb8", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.proptests"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110147, "scanner": "repobility-docker", "fingerprint": "53acbdb42d9cf1f86dc6302d35db3e022ec4e0ea8179850483b57dbb98fffec9", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:18-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|53acbdb42d9cf1f86dc6302d35db3e022ec4e0ea8179850483b57dbb98fffec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.paradedb-18"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110146, "scanner": "repobility-docker", "fingerprint": "efa4ad2642906e5978ed3f754ad5a17becaae6cfb4c841110d3efa6e35ffb3c5", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:17-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|efa4ad2642906e5978ed3f754ad5a17becaae6cfb4c841110d3efa6e35ffb3c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.paradedb-17"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110145, "scanner": "repobility-docker", "fingerprint": "16bdafc016d14acd8b47319902e456a4188c31bcf2289c91b94d41a777d85082", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:16-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|16bdafc016d14acd8b47319902e456a4188c31bcf2289c91b94d41a777d85082"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.paradedb-16"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110144, "scanner": "repobility-docker", "fingerprint": "10ab57c3d2f4c739b0610e6f442224471134a8a1ae457705aa477df797bdac81", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:15-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|10ab57c3d2f4c739b0610e6f442224471134a8a1ae457705aa477df797bdac81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.paradedb-15"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110143, "scanner": "repobility-docker", "fingerprint": "672e085351bdf480feb3f960b5549ca718efcc24d709da7c712c4f02cc7dac1b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:18-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|672e085351bdf480feb3f960b5549ca718efcc24d709da7c712c4f02cc7dac1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.official-18"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110142, "scanner": "repobility-docker", "fingerprint": "6b2b02277319c2a55b372f1b754dcd3d745b2a896cac4df65dc1347b8580fb7d", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:17-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6b2b02277319c2a55b372f1b754dcd3d745b2a896cac4df65dc1347b8580fb7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.official-17"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110141, "scanner": "repobility-docker", "fingerprint": "2ad23ff2909cc16ec600401280a715690b4c6f49568ec6587b8094fbd5492483", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:16-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2ad23ff2909cc16ec600401280a715690b4c6f49568ec6587b8094fbd5492483"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.official-16"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110140, "scanner": "repobility-docker", "fingerprint": "76c23968922ecfe3a499777b268131b779aa8199582ab0962298a878b8277bf3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:15-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|76c23968922ecfe3a499777b268131b779aa8199582ab0962298a878b8277bf3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.official-15"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 110138, "scanner": "repobility-docker", "fingerprint": "86a65bd1a760ad043ce359448bb3fc363727f85f3395cb966c9bd385dc6174ab", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "postgres:18-trixie", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|86a65bd1a760ad043ce359448bb3fc363727f85f3395cb966c9bd385dc6174ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.antithesis-18"}, "region": {"startLine": 2}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 110119, "scanner": "repobility-threat-engine", "fingerprint": "f466d267f244387437024ae9f239735c821506df11d6a4e96371eef538641641", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.8 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: test/fixture path]", "evidence": {"match": "PASSWORD=\"<redacted>}\"", "reason": "Low entropy value (3.8 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: test/fixture path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|. token|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/smoke_test_code_snippets.sh"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 110113, "scanner": "repobility-threat-engine", "fingerprint": "e76edac7854b556d3c5a6393e9ca0ffdfaf7b66a5129961cbd987e4bc9b740d0", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "evidence": {"match": "SECRET_KEY=\"paradedb-docs-snippets\"", "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|. token|4|secret_key paradedb-docs-snippets"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/django_snippet_harness.py"}, "region": {"startLine": 41}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 110110, "scanner": "repobility-agent-runtime", "fingerprint": "cc6616bf6f46dc5190fbe95abc24e621b5050a91cc05acd9bfcdcb89d3964b6c", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|cc6616bf6f46dc5190fbe95abc24e621b5050a91cc05acd9bfcdcb89d3964b6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/README.md"}, "region": {"startLine": 15}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 110109, "scanner": "repobility-agent-runtime", "fingerprint": "21ceb2552511ecdae94073a1621f19fe3ba7d39614c1fbcdf10f9ba609eab1a8", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|21ceb2552511ecdae94073a1621f19fe3ba7d39614c1fbcdf10f9ba609eab1a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/deploy/cloud-platforms/digitalocean.mdx"}, "region": {"startLine": 33}}}]}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 110108, "scanner": "repobility-agent-runtime", "fingerprint": "ef2879c11504bf4a4d14aa714169ebdae758208db67577d48e325e38bc84b4ea", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|ef2879c11504bf4a4d14aa714169ebdae758208db67577d48e325e38bc84b4ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "README.md"}, "region": {"startLine": 30}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 110156, "scanner": "repobility-docker", "fingerprint": "eedd15d04efe88a2e429f36ff42c1cec90dcb209f1467864baa0c73970c2219e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "paradedb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|eedd15d04efe88a2e429f36ff42c1cec90dcb209f1467864baa0c73970c2219e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 110154, "scanner": "repobility-docker", "fingerprint": "8938d773cac80c8fcf730706bdaa8d4ced7a836a56608454f95113d656c41b26", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "paradedb", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|8938d773cac80c8fcf730706bdaa8d4ced7a836a56608454f95113d656c41b26"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 110139, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `process_doc` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, for=2, if=2, nested_bonus=4."}, "properties": {"repobilityId": 110112, "scanner": "repobility-threat-engine", "fingerprint": "0dbb34e4dc51699c773dcf2ce6d3cada5028b736a78e3397b6bb245b9e003d3a", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 10 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "process_doc", "breakdown": {"if": 2, "for": 2, "continue": 2, "nested_bonus": 4}, "complexity": 10, "correlation_key": "fp|0dbb34e4dc51699c773dcf2ce6d3cada5028b736a78e3397b6bb245b9e003d3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/extract_code_snippets.py"}, "region": {"startLine": 80}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=3, if=3, nested_bonus=3."}, "properties": {"repobilityId": 110111, "scanner": "repobility-threat-engine", "fingerprint": "c60988a9baea196051cd8a3f136c79a9c784ccbd623ea0b246acd1756337d084", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 3, "for": 3, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|c60988a9baea196051cd8a3f136c79a9c784ccbd623ea0b246acd1756337d084"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/check_migration_diff.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110012, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3578ec19055e54207a44272970a1aa7afbca244e53a28184ce8188104bc2fccd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pg_search/src/postgres/customscan/aggregatescan/privdat.rs", "duplicate_line": 87, "correlation_key": "fp|3578ec19055e54207a44272970a1aa7afbca244e53a28184ce8188104bc2fccd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/postgres/customscan/joinscan/privdat.rs"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110011, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7f5046107e6e6a3f1c32c4b16db415cca4223b5db01b4695d32114b7db3b68a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pg_search/src/postgres/customscan/basescan/privdat.rs", "duplicate_line": 85, "correlation_key": "fp|f7f5046107e6e6a3f1c32c4b16db415cca4223b5db01b4695d32114b7db3b68a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/postgres/customscan/joinscan/privdat.rs"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110010, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1d25d1ec5007b8b2d8eb886e6eec5b767c733eef3b9ba897f9a274561f72284", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pg_search/src/postgres/customscan/aggregatescan/mpp.rs", "duplicate_line": 38, "correlation_key": "fp|d1d25d1ec5007b8b2d8eb886e6eec5b767c733eef3b9ba897f9a274561f72284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/postgres/customscan/joinscan/mpp.rs"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110009, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c9fa049bd8984f0395fcd746e5f3a2675241b2b766c0b2c446ac02b07674a82c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pg_search/src/postgres/customscan/aggregatescan/privdat.rs", "duplicate_line": 87, "correlation_key": "fp|c9fa049bd8984f0395fcd746e5f3a2675241b2b766c0b2c446ac02b07674a82c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/postgres/customscan/basescan/privdat.rs"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110008, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bee63d9a36ac89b191d453f2b2b5d9130260f414087def08fa89f2a605206b2d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pg_search/src/api/operator/andandand.rs", "duplicate_line": 65, "correlation_key": "fp|bee63d9a36ac89b191d453f2b2b5d9130260f414087def08fa89f2a605206b2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/operator/ororor.rs"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 110007, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b8ad97d79635f6a5f3ef1c3c545cc80ccaba363391e036cd5b55740f81e3888c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pg_search/src/api/operator/boost.rs", "duplicate_line": 171, "correlation_key": "fp|b8ad97d79635f6a5f3ef1c3c545cc80ccaba363391e036cd5b55740f81e3888c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/operator/const_score.rs"}, "region": {"startLine": 166}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro (and 28 more): Same pattern found in 28 additional files. Review if needed."}, "properties": {"repobilityId": 110135, "scanner": "repobility-threat-engine", "fingerprint": "43b9440801111116237228dac5ab47ff0a45f0e7de4e94c9072b6d8eb919cf80", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 28 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|43b9440801111116237228dac5ab47ff0a45f0e7de4e94c9072b6d8eb919cf80", "aggregated_count": 28}}}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 110134, "scanner": "repobility-threat-engine", "fingerprint": "3b47b318c684630b452b9fdc8da8a2d09f8f340130c51524f8db6803c687360d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b47b318c684630b452b9fdc8da8a2d09f8f340130c51524f8db6803c687360d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/operator/andandand.rs"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 110133, "scanner": "repobility-threat-engine", "fingerprint": "c155d19fd240ac9e8bf4c36a5ced9e2c172f67ed8bbb5ff5e444976518f377b3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c155d19fd240ac9e8bf4c36a5ced9e2c172f67ed8bbb5ff5e444976518f377b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/builder_fns/proximity.rs"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED066", "level": "none", "message": {"text": "[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors."}, "properties": {"repobilityId": 110132, "scanner": "repobility-threat-engine", "fingerprint": "2003356c7fc142b5a21e05ade99f3a95e363540dc197c2c3002b04a91b4eeeec", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-panic-macro", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348055+00:00", "triaged_in_corpus": 12, "observations_count": 48611, "ai_coder_pattern_id": 113}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2003356c7fc142b5a21e05ade99f3a95e363540dc197c2c3002b04a91b4eeeec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/builder_fns/mlt.rs"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 110131, "scanner": "repobility-threat-engine", "fingerprint": "8a5ff62c3fddb8c7bd1a2d70f0bbdca54b61c18a9691c5f77a66ad918a9e5653", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8a5ff62c3fddb8c7bd1a2d70f0bbdca54b61c18a9691c5f77a66ad918a9e5653", "aggregated_count": 42}}}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 110130, "scanner": "repobility-threat-engine", "fingerprint": "7a0dad390b589aa2d0927a3b8820cd16b7dfcea63f679a984b2fd686a670452c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a0dad390b589aa2d0927a3b8820cd16b7dfcea63f679a984b2fd686a670452c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/operator/andandand.rs"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 110129, "scanner": "repobility-threat-engine", "fingerprint": "af6e3b1790d55649b6c3e7680f18222538e26d716be6bbc7b85cdd1bbf73e324", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|af6e3b1790d55649b6c3e7680f18222538e26d716be6bbc7b85cdd1bbf73e324"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/builder_fns/proximity.rs"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED059", "level": "none", "message": {"text": "[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message."}, "properties": {"repobilityId": 110128, "scanner": "repobility-threat-engine", "fingerprint": "a321c1eac66a64e763a6dfcbf8675c88943e7ee13a9b0b0d2069fe66fddab7c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-expect-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348039+00:00", "triaged_in_corpus": 12, "observations_count": 175379, "ai_coder_pattern_id": 112}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a321c1eac66a64e763a6dfcbf8675c88943e7ee13a9b0b0d2069fe66fddab7c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/builder_fns/mlt.rs"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block (and 45 more): Same pattern found in 45 additional files. Review if needed."}, "properties": {"repobilityId": 110127, "scanner": "repobility-threat-engine", "fingerprint": "c6f43550beb9056c25153969c811705773f08dfd8a2248f16226f1c8e868ca1d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 45 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c6f43550beb9056c25153969c811705773f08dfd8a2248f16226f1c8e868ca1d", "aggregated_count": 45}}}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 110126, "scanner": "repobility-threat-engine", "fingerprint": "571f3479b0cb58aed36ef91a35b48cc12337bc6099777038a8a674cabf97cd74", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|571f3479b0cb58aed36ef91a35b48cc12337bc6099777038a8a674cabf97cd74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/operator/andandand.rs"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 110125, "scanner": "repobility-threat-engine", "fingerprint": "8f2dce8fa0610ba5228c67a14cf08c01e289cc32ef48a34dbf3330d493639b0e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f2dce8fa0610ba5228c67a14cf08c01e289cc32ef48a34dbf3330d493639b0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/builder_fns/mlt.rs"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED068", "level": "none", "message": {"text": "[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside."}, "properties": {"repobilityId": 110124, "scanner": "repobility-threat-engine", "fingerprint": "02e93a94ca0dc8fbb3e9bb2397f8514b4b00f9b3e239ad90025529e68018b1ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unsafe-block", "owasp": null, "cwe_ids": ["CWE-119"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348060+00:00", "triaged_in_corpus": 12, "observations_count": 42383, "ai_coder_pattern_id": 116}, "scanner": "repobility-threat-engine", "correlation_key": "fp|02e93a94ca0dc8fbb3e9bb2397f8514b4b00f9b3e239ad90025529e68018b1ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/api/aggregate.rs"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 39 more): Same pattern found in 39 additional files. Review if needed."}, "properties": {"repobilityId": 110123, "scanner": "repobility-threat-engine", "fingerprint": "76ad0a283816dd4cbf8b9708ee1e39d3e9714388af361f92b0eb99ba9ee23cf2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 39 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|76ad0a283816dd4cbf8b9708ee1e39d3e9714388af361f92b0eb99ba9ee23cf2", "aggregated_count": 39}}}, {"ruleId": "SEC022", "level": "none", "message": {"text": "[SEC022] Database URL With Embedded Credential (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 110116, "scanner": "repobility-threat-engine", "fingerprint": "c8425e6700c1d95b6cacded725fe72b4c455d9fb2a0cddfeb2a6f7d806b30c0b", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c8425e6700c1d95b6cacded725fe72b4c455d9fb2a0cddfeb2a6f7d806b30c0b"}}}, {"ruleId": "RUSTSEC-2021-0127", "level": "error", "message": {"text": "serde_cbor: RUSTSEC-2021-0127"}, "properties": {"repobilityId": 110181, "scanner": "osv-scanner", "fingerprint": "a1dd4446b1ebae535d80097a37bd392cdf56bfe6431e6f6faea9a80fa4e9997d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "serde_cbor", "rule_id": "RUSTSEC-2021-0127", "scanner": "osv-scanner", "correlation_key": "fp|a1dd4446b1ebae535d80097a37bd392cdf56bfe6431e6f6faea9a80fa4e9997d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2023-0071", "level": "error", "message": {"text": "rsa: RUSTSEC-2023-0071"}, "properties": {"repobilityId": 110180, "scanner": "osv-scanner", "fingerprint": "8d2ec21cf46ba80ff1843c2b573a651f4162fc37b24b67de47343d2180e0463e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-49092", "GHSA-4grx-2x9w-596c", "GHSA-c38w-74pg-36hr"], "package": "rsa", "rule_id": "RUSTSEC-2023-0071", "scanner": "osv-scanner", "correlation_key": "vuln|rsa|CVE-2023-49092|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0436", "level": "error", "message": {"text": "paste: RUSTSEC-2024-0436"}, "properties": {"repobilityId": 110179, "scanner": "osv-scanner", "fingerprint": "ecf6a49d252eada338538964a3d9bb37acf276dba6d473e55cf76f528b35783f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "paste", "rule_id": "RUSTSEC-2024-0436", "scanner": "osv-scanner", "correlation_key": "fp|ecf6a49d252eada338538964a3d9bb37acf276dba6d473e55cf76f528b35783f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-xp3w-r5p5-63rr", "level": "error", "message": {"text": "openssl: GHSA-xp3w-r5p5-63rr"}, "properties": {"repobilityId": 110177, "scanner": "osv-scanner", "fingerprint": "d3c5711dee25a3797b74ad5eb81fb765a4fb03d4c045924932e9431b10ed3aa6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42327"], "package": "openssl", "rule_id": "GHSA-xp3w-r5p5-63rr", "scanner": "osv-scanner", "correlation_key": "vuln|openssl|CVE-2026-42327|cargo.lock"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2024-0384", "level": "error", "message": {"text": "instant: RUSTSEC-2024-0384"}, "properties": {"repobilityId": 110175, "scanner": "osv-scanner", "fingerprint": "2ceb760f484abeb3a84e0d3edb5de7bba161864b40faf40414de9a12f611490f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "instant", "rule_id": "RUSTSEC-2024-0384", "scanner": "osv-scanner", "correlation_key": "fp|2ceb760f484abeb3a84e0d3edb5de7bba161864b40faf40414de9a12f611490f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0057", "level": "error", "message": {"text": "fxhash: RUSTSEC-2025-0057"}, "properties": {"repobilityId": 110174, "scanner": "osv-scanner", "fingerprint": "81c2c5c48229a549978285f8dfbddc82d310de8f2cb86fdbc68f4a69f0c7a63c", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "fxhash", "rule_id": "RUSTSEC-2025-0057", "scanner": "osv-scanner", "correlation_key": "fp|81c2c5c48229a549978285f8dfbddc82d310de8f2cb86fdbc68f4a69f0c7a63c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2021-0153", "level": "error", "message": {"text": "encoding: RUSTSEC-2021-0153"}, "properties": {"repobilityId": 110173, "scanner": "osv-scanner", "fingerprint": "bdf7fab82f25deb807210b18a6cfdf5c437cbe678075f846795976ea25ab74ac", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "encoding", "rule_id": "RUSTSEC-2021-0153", "scanner": "osv-scanner", "correlation_key": "fp|bdf7fab82f25deb807210b18a6cfdf5c437cbe678075f846795976ea25ab74ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0141", "level": "error", "message": {"text": "bincode: RUSTSEC-2025-0141"}, "properties": {"repobilityId": 110172, "scanner": "osv-scanner", "fingerprint": "634ded575a91e8662811f47a1170cf5fb4279a65e3c3176bb84aeaac3c78b213", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "bincode", "rule_id": "RUSTSEC-2025-0141", "scanner": "osv-scanner", "correlation_key": "fp|634ded575a91e8662811f47a1170cf5fb4279a65e3c3176bb84aeaac3c78b213"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "RUSTSEC-2025-0052", "level": "error", "message": {"text": "async-std: RUSTSEC-2025-0052"}, "properties": {"repobilityId": 110171, "scanner": "osv-scanner", "fingerprint": "7ff2ca48c08eab4a10f1dc3a725c7b79249ea5a99da79680872627dd5a1fc954", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "package": "async-std", "rule_id": "RUSTSEC-2025-0052", "scanner": "osv-scanner", "correlation_key": "fp|7ff2ca48c08eab4a10f1dc3a725c7b79249ea5a99da79680872627dd5a1fc954"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Cargo.lock"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED039", "level": "error", "message": {"text": "[MINED039] Rust Todo Macro: todo!() panics when reached. Unimplemented code path."}, "properties": {"repobilityId": 110137, "scanner": "repobility-threat-engine", "fingerprint": "3358dff26c04c94cc0973f52d2426f2af461ae67fe951ac20a749ebc15f00700", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-todo-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347989+00:00", "triaged_in_corpus": 15, "observations_count": 1561, "ai_coder_pattern_id": 114}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3358dff26c04c94cc0973f52d2426f2af461ae67fe951ac20a749ebc15f00700"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/postgres/customscan/path.rs"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED041", "level": "error", "message": {"text": "[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs."}, "properties": {"repobilityId": 110136, "scanner": "repobility-threat-engine", "fingerprint": "5c26cd553dc320707b13aa6e162c0fc1e7fd69e5dec162bc6df2b5025b54b1ef", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unimplemented-macro", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347994+00:00", "triaged_in_corpus": 15, "observations_count": 1422, "ai_coder_pattern_id": 115}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5c26cd553dc320707b13aa6e162c0fc1e7fd69e5dec162bc6df2b5025b54b1ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/src/postgres/customscan/basescan/exec_methods.rs"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 110122, "scanner": "repobility-threat-engine", "fingerprint": "46890a8dc9d1ecd852a33ce1207b3f9d217a23712c2d02c6f772ffe5160c36dd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|46890a8dc9d1ecd852a33ce1207b3f9d217a23712c2d02c6f772ffe5160c36dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "macros/src/generate_tokenizer_sql.rs"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 110121, "scanner": "repobility-threat-engine", "fingerprint": "3c5b95f446616dbf69ceae545d73fe60a0c94cc28a76b11c0af4cfbde43bb4ae", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3c5b95f446616dbf69ceae545d73fe60a0c94cc28a76b11c0af4cfbde43bb4ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/src/lib.rs"}, "region": {"startLine": 160}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 110120, "scanner": "repobility-threat-engine", "fingerprint": "f9ae5bce93ca696b0f00bc3a77c450898ce5e150f89735e2fccfb6f01f07031d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f9ae5bce93ca696b0f00bc3a77c450898ce5e150f89735e2fccfb6f01f07031d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benchmarks/src/config.rs"}, "region": {"startLine": 145}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redhat/ubi9:latest` unpinned"}, "properties": {"repobilityId": 110098, "scanner": "repobility-supply-chain", "fingerprint": "86f3229dfbf9cc7fcd8b56a9f1ddeba791b0554d37d7ae8d478bec7ca900ef44", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86f3229dfbf9cc7fcd8b56a9f1ddeba791b0554d37d7ae8d478bec7ca900ef44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-rhel.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redhat/ubi9:latest` unpinned"}, "properties": {"repobilityId": 110097, "scanner": "repobility-supply-chain", "fingerprint": "8e6bdbbddc65e4e18a45ce0de4e194028bc4913371826f66314651964db74d7e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e6bdbbddc65e4e18a45ce0de4e194028bc4913371826f66314651964db74d7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-rhel.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redhat/ubi9:latest` unpinned"}, "properties": {"repobilityId": 110096, "scanner": "repobility-supply-chain", "fingerprint": "450e57b371328e727a0009dc3c1d7579312965ec67ca575e1aa7137f0b75ce74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|450e57b371328e727a0009dc3c1d7579312965ec67ca575e1aa7137f0b75ce74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-rhel.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redhat/ubi9:latest` unpinned"}, "properties": {"repobilityId": 110095, "scanner": "repobility-supply-chain", "fingerprint": "39ee6a9e8eaab0624a31721ad4b2b566d264e193477228ee8436283191331aca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39ee6a9e8eaab0624a31721ad4b2b566d264e193477228ee8436283191331aca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-rhel.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redhat/ubi9:latest` unpinned"}, "properties": {"repobilityId": 110094, "scanner": "repobility-supply-chain", "fingerprint": "4ad0ef0db8b707657543fb2b0e72438b8c9add59cd5ecf44c509918bc89e50d7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4ad0ef0db8b707657543fb2b0e72438b8c9add59cd5ecf44c509918bc89e50d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-rhel.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redhat/ubi9:latest` unpinned"}, "properties": {"repobilityId": 110093, "scanner": "repobility-supply-chain", "fingerprint": "fed0375caf4ecdbb17119a6a5af63fe6760e6fda3f8ca8fb43554bf037d60737", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fed0375caf4ecdbb17119a6a5af63fe6760e6fda3f8ca8fb43554bf037d60737"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-rhel.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `redhat/ubi9:latest` unpinned"}, "properties": {"repobilityId": 110092, "scanner": "repobility-supply-chain", "fingerprint": "a79314938f80fe4b5ffa1e1152408a2c365e0fdf805318d7619d2bf119e45f0b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a79314938f80fe4b5ffa1e1152408a2c365e0fdf805318d7619d2bf119e45f0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-rhel.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `pgxn/pgxn-tools` unpinned"}, "properties": {"repobilityId": 110082, "scanner": "repobility-supply-chain", "fingerprint": "4efdf8b22a755933e84154443aa2b9f60471c1e537cd35e726616c80874b96e0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4efdf8b22a755933e84154443aa2b9f60471c1e537cd35e726616c80874b96e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-pgxn.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13-slim` unpinned"}, "properties": {"repobilityId": 110080, "scanner": "repobility-supply-chain", "fingerprint": "819628a312c5293feda7612248a2a9f35f14e0f069ca9d9209ae7f4f9115abef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|819628a312c5293feda7612248a2a9f35f14e0f069ca9d9209ae7f4f9115abef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/antithesis-trigger-test-run.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 110075, "scanner": "repobility-supply-chain", "fingerprint": "300f0441ce4e0613c901c17beb7b1750bbf23672d785c9e5318366f7530f6fe1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|300f0441ce4e0613c901c17beb7b1750bbf23672d785c9e5318366f7530f6fe1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-paradedb-docker.yml"}, "region": {"startLine": 332}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110074, "scanner": "repobility-supply-chain", "fingerprint": "3b8c6bbbe5835d7606a1d846bc364dff3d243ba76ce0ef95d353ec7e813db7c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3b8c6bbbe5835d7606a1d846bc364dff3d243ba76ce0ef95d353ec7e813db7c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-paradedb-docker.yml"}, "region": {"startLine": 258}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 110073, "scanner": "repobility-supply-chain", "fingerprint": "46787997a9eaefcb03357b0d1ef00e65d667f708d83ffaa372e034fa22b22ed6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|46787997a9eaefcb03357b0d1ef00e65d667f708d83ffaa372e034fa22b22ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-paradedb-docker.yml"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/attest-build-provenance` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 110072, "scanner": "repobility-supply-chain", "fingerprint": "c313ff0d4e34a804ca9a071be16e23e5ee7612c96396ab24768bab7feb1bc147", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c313ff0d4e34a804ca9a071be16e23e5ee7612c96396ab24768bab7feb1bc147"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-paradedb-docker.yml"}, "region": {"startLine": 236}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110071, "scanner": "repobility-supply-chain", "fingerprint": "1ab1568bc1017ec104cc15e7acc97b1eafb23b760cbb909555503c4caa6145ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ab1568bc1017ec104cc15e7acc97b1eafb23b760cbb909555503c4caa6145ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-paradedb-docker.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110070, "scanner": "repobility-supply-chain", "fingerprint": "338ea7e546c6623e56fafca354349416c4d1503f96f699f1ac0c23e0fb39c8dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|338ea7e546c6623e56fafca354349416c4d1503f96f699f1ac0c23e0fb39c8dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-paradedb-docker.yml"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 110069, "scanner": "repobility-supply-chain", "fingerprint": "f1e5504d6a1561e0b3c6cb29c9853aec9a679ef1d2ad794cf05e8b0fc567c3aa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f1e5504d6a1561e0b3c6cb29c9853aec9a679ef1d2ad794cf05e8b0fc567c3aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-paradedb-docker.yml"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `amannn/action-semantic-pull-request` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110068, "scanner": "repobility-supply-chain", "fingerprint": "cbdd9a045902d73620b0602ff294879ea0f2ef2bdb940d54166c5c24ff77d200", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cbdd9a045902d73620b0602ff294879ea0f2ef2bdb940d54166c5c24ff77d200"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-pr-title.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `antithesishq/antithesis-trigger-action` pinned to mutable ref `@v0.11`"}, "properties": {"repobilityId": 110067, "scanner": "repobility-supply-chain", "fingerprint": "994d3566f80d57e5df373c11f2e162531d0a36ea21d9c16fad19bc5460c210b2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|994d3566f80d57e5df373c11f2e162531d0a36ea21d9c16fad19bc5460c210b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/antithesis-trigger-bug-report.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110066, "scanner": "repobility-supply-chain", "fingerprint": "8a2c77ba3fe7d7bf5a3a8ee279bfe738bfc230937d0e7b41e8da0d4bd461f43e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a2c77ba3fe7d7bf5a3a8ee279bfe738bfc230937d0e7b41e8da0d4bd461f43e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-pg_search-docker.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `codespell-project/actions-codespell` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 110064, "scanner": "repobility-supply-chain", "fingerprint": "01ac6cb30e7c0f589f1f92e0f812c901cdb223eb9c0dc44faa1b245187ac6ed6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01ac6cb30e7c0f589f1f92e0f812c901cdb223eb9c0dc44faa1b245187ac6ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-typo.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110063, "scanner": "repobility-supply-chain", "fingerprint": "f910e9c0e8233a8276ef4b9dffe1e11db7c5c97f5a7fd52c42a7bad235a72671", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f910e9c0e8233a8276ef4b9dffe1e11db7c5c97f5a7fd52c42a7bad235a72671"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-typo.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `DeterminateSystems/determinate-nix-action` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 110061, "scanner": "repobility-supply-chain", "fingerprint": "88a650e14ce78ebc0053244deaae19a368795aaf7897d072d6bd098123d986b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88a650e14ce78ebc0053244deaae19a368795aaf7897d072d6bd098123d986b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-pg_search-nix.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110060, "scanner": "repobility-supply-chain", "fingerprint": "3a0c538c5268fd6ae5680479cb30e1c7c8ee864eaa75a09f9184ab3c15e570c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a0c538c5268fd6ae5680479cb30e1c7c8ee864eaa75a09f9184ab3c15e570c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-pg_search-nix.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/create-github-app-token` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 110059, "scanner": "repobility-supply-chain", "fingerprint": "861910b0cf6f818535f36aced31595ceb332098176ca1abc8cbd9e531cf88548", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|861910b0cf6f818535f36aced31595ceb332098176ca1abc8cbd9e531cf88548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-pg_search-nix.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13-slim` unpinned"}, "properties": {"repobilityId": 110058, "scanner": "repobility-supply-chain", "fingerprint": "39b30bf2ce4226c6dd21347507394e5d86d27b4b4456df28aa7ce5b7895e8fd4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39b30bf2ce4226c6dd21347507394e5d86d27b4b4456df28aa7ce5b7895e8fd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 175}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13-slim` unpinned"}, "properties": {"repobilityId": 110057, "scanner": "repobility-supply-chain", "fingerprint": "bfbc65a53a4ccad80933af36068293eb73105965f291acc212abfe8b6e8b66c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfbc65a53a4ccad80933af36068293eb73105965f291acc212abfe8b6e8b66c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13-slim` unpinned"}, "properties": {"repobilityId": 110056, "scanner": "repobility-supply-chain", "fingerprint": "4cc1d5ee785fe5ee36343b9645104e4bf6b64450b8e6ad68d29c7eaade64495e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4cc1d5ee785fe5ee36343b9645104e4bf6b64450b8e6ad68d29c7eaade64495e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13-slim` unpinned"}, "properties": {"repobilityId": 110055, "scanner": "repobility-supply-chain", "fingerprint": "03e3f980fb922846bd1e11801382d30fa907b126c37fe7b47d6c4cbbb1ebbe46", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|03e3f980fb922846bd1e11801382d30fa907b126c37fe7b47d6c4cbbb1ebbe46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13-slim` unpinned"}, "properties": {"repobilityId": 110054, "scanner": "repobility-supply-chain", "fingerprint": "2aaf3adde4ff69ef8d0c42ca322cbf34de6879437ddddc0e1236be8b5815b1dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2aaf3adde4ff69ef8d0c42ca322cbf34de6879437ddddc0e1236be8b5815b1dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 143}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13-slim` unpinned"}, "properties": {"repobilityId": 110053, "scanner": "repobility-supply-chain", "fingerprint": "5b28007bae6f6d903f4953dfd1306d4844c8064fb7f93ded7cff7b471d8994ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5b28007bae6f6d903f4953dfd1306d4844c8064fb7f93ded7cff7b471d8994ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13-slim` unpinned"}, "properties": {"repobilityId": 110052, "scanner": "repobility-supply-chain", "fingerprint": "7fcbd0374ada81e0e2e294bd105d16ad787e0d84f11772834ddf24ac21723cb2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7fcbd0374ada81e0e2e294bd105d16ad787e0d84f11772834ddf24ac21723cb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13-slim` unpinned"}, "properties": {"repobilityId": 110051, "scanner": "repobility-supply-chain", "fingerprint": "dc90a71eed2918909cbd90f63ad8343b24574c2a80df7d6e7a8b3edda1f0fa5e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dc90a71eed2918909cbd90f63ad8343b24574c2a80df7d6e7a8b3edda1f0fa5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 119}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:12-slim` unpinned"}, "properties": {"repobilityId": 110050, "scanner": "repobility-supply-chain", "fingerprint": "b36e7dac3d8f884ab2bbead6044fc78902d6a0b5632f65051654330b85e60161", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b36e7dac3d8f884ab2bbead6044fc78902d6a0b5632f65051654330b85e60161"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:12-slim` unpinned"}, "properties": {"repobilityId": 110049, "scanner": "repobility-supply-chain", "fingerprint": "8f5a369819e8b6f85f7b82da363d38ca1dc30449cebb7954b361ebb1117e38ed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f5a369819e8b6f85f7b82da363d38ca1dc30449cebb7954b361ebb1117e38ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:12-slim` unpinned"}, "properties": {"repobilityId": 110048, "scanner": "repobility-supply-chain", "fingerprint": "a45be83efb6d645713725348a926c56c1307bb30d946657b42e97b259bea3b65", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a45be83efb6d645713725348a926c56c1307bb30d946657b42e97b259bea3b65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:12-slim` unpinned"}, "properties": {"repobilityId": 110047, "scanner": "repobility-supply-chain", "fingerprint": "1e77b08ec5fd4a0192cc27cd94f74e79b1d32bea76d28722e6fe7cf9ce95c903", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e77b08ec5fd4a0192cc27cd94f74e79b1d32bea76d28722e6fe7cf9ce95c903"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:12-slim` unpinned"}, "properties": {"repobilityId": 110046, "scanner": "repobility-supply-chain", "fingerprint": "33fa05a6b28a7c0aef96d0faede171ad279b921f54d2e34e658a74b6e778a34e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33fa05a6b28a7c0aef96d0faede171ad279b921f54d2e34e658a74b6e778a34e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:12-slim` unpinned"}, "properties": {"repobilityId": 110045, "scanner": "repobility-supply-chain", "fingerprint": "5e29a1b644021ce595df0cd3186265116d3d93abde03d42f484b65964783b9b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e29a1b644021ce595df0cd3186265116d3d93abde03d42f484b65964783b9b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:12-slim` unpinned"}, "properties": {"repobilityId": 110044, "scanner": "repobility-supply-chain", "fingerprint": "12eaca2fa32f58d95397995c090ed8d5710ba9c94534f48f6d74814bf73b81e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12eaca2fa32f58d95397995c090ed8d5710ba9c94534f48f6d74814bf73b81e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:12-slim` unpinned"}, "properties": {"repobilityId": 110043, "scanner": "repobility-supply-chain", "fingerprint": "b26cd3415d0fc2a0f09becf05b57c9b14387c457805224edf82c1a18b5b12259", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b26cd3415d0fc2a0f09becf05b57c9b14387c457805224edf82c1a18b5b12259"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `shogo82148/actions-upload-release-asset` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 110042, "scanner": "repobility-supply-chain", "fingerprint": "ad797abda6b31691e75f8cfe9909c17de6fe2b101209175c5783ec9bcf4ddcb6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad797abda6b31691e75f8cfe9909c17de6fe2b101209175c5783ec9bcf4ddcb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 344}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/attest-build-provenance` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 110041, "scanner": "repobility-supply-chain", "fingerprint": "c54493b070b1670ac5e48684ad941fc47b8be289cef53e08764560efc0dc8e5d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c54493b070b1670ac5e48684ad941fc47b8be289cef53e08764560efc0dc8e5d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 110040, "scanner": "repobility-supply-chain", "fingerprint": "c293f2fb7fffcceed8dcffbb67a645a71f692da3ee100a28b45bffe65ae69a98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c293f2fb7fffcceed8dcffbb67a645a71f692da3ee100a28b45bffe65ae69a98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 246}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions-rust-lang/setup-rust-toolchain` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 110039, "scanner": "repobility-supply-chain", "fingerprint": "280fe526c39568b9906ba84bab5178717408e33cce3568a62325d2e9262b3d03", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|280fe526c39568b9906ba84bab5178717408e33cce3568a62325d2e9262b3d03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110038, "scanner": "repobility-supply-chain", "fingerprint": "37a52f612d3c3a04bd7f1baa7d5e5a95376d4251a45bdbcd3681c79eafa92e92", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37a52f612d3c3a04bd7f1baa7d5e5a95376d4251a45bdbcd3681c79eafa92e92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-pg_search-debian.yml"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `jbergstroem/hadolint-gh-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 110037, "scanner": "repobility-supply-chain", "fingerprint": "e62a3764c3360f86fef0f2ea711d7ff47c738ee1ab8409483d44b6bceba004d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e62a3764c3360f86fef0f2ea711d7ff47c738ee1ab8409483d44b6bceba004d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-docker.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110036, "scanner": "repobility-supply-chain", "fingerprint": "c6064588f1dea21add2e291d52fee228f9c01e598e1e492d6979355a44a2bc6a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c6064588f1dea21add2e291d52fee228f9c01e598e1e492d6979355a44a2bc6a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-docker.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `astral-sh/setup-uv` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 110035, "scanner": "repobility-supply-chain", "fingerprint": "34c1083977b1619dd382b04b660c188bed4d563c3df0cba90a0035f5e20be995", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34c1083977b1619dd382b04b660c188bed4d563c3df0cba90a0035f5e20be995"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-bash.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-python` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110034, "scanner": "repobility-supply-chain", "fingerprint": "901b43d6370cd5134024f4af7507f29d4366a941164a9212687f44c22ee23e71", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|901b43d6370cd5134024f4af7507f29d4366a941164a9212687f44c22ee23e71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-bash.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 110033, "scanner": "repobility-supply-chain", "fingerprint": "d08ca5439e77e9fb3d8f96b29e6a854278c971af3f60208d6f1b10a3b6b645af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d08ca5439e77e9fb3d8f96b29e6a854278c971af3f60208d6f1b10a3b6b645af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-bash.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `postgres:18-trixie` not pinned by digest"}, "properties": {"repobilityId": 110032, "scanner": "repobility-supply-chain", "fingerprint": "6875b7494da0768cb5bad933d52ce0c126e5172fa765328f5f25efd7db94c4a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6875b7494da0768cb5bad933d52ce0c126e5172fa765328f5f25efd7db94c4a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.antithesis-18"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `postgres:16-trixie` not pinned by digest"}, "properties": {"repobilityId": 110031, "scanner": "repobility-supply-chain", "fingerprint": "63fe748610495db00b19bf085768497b2c4ab58b3add71c2b849e7c2a5649552", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|63fe748610495db00b19bf085768497b2c4ab58b3add71c2b849e7c2a5649552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.official-16"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `postgres:17-trixie` not pinned by digest"}, "properties": {"repobilityId": 110030, "scanner": "repobility-supply-chain", "fingerprint": "0ac2e67b3219012cf7881848fe62edb92dab09260e00ed45e2fcd7da002b28fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ac2e67b3219012cf7881848fe62edb92dab09260e00ed45e2fcd7da002b28fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.official-17"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `postgres:15-trixie` not pinned by digest"}, "properties": {"repobilityId": 110029, "scanner": "repobility-supply-chain", "fingerprint": "44698f161d1e12f49046654de2d5f557a4f136c9486f51992d336af918045201", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|44698f161d1e12f49046654de2d5f557a4f136c9486f51992d336af918045201"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.paradedb-15"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `postgres:18-trixie` not pinned by digest"}, "properties": {"repobilityId": 110028, "scanner": "repobility-supply-chain", "fingerprint": "665861170f96df375f9731fb09802ccdcc6cc8f526d244e63117ed9bda770d9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|665861170f96df375f9731fb09802ccdcc6cc8f526d244e63117ed9bda770d9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.paradedb-18"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `postgres:18-trixie` not pinned by digest"}, "properties": {"repobilityId": 110027, "scanner": "repobility-supply-chain", "fingerprint": "eb087806da2e0f9a943ba6b679f95f291bb4767fbad3e2db3cab1384eab70538", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb087806da2e0f9a943ba6b679f95f291bb4767fbad3e2db3cab1384eab70538"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.official-18"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `postgres:17-trixie` not pinned by digest"}, "properties": {"repobilityId": 110026, "scanner": "repobility-supply-chain", "fingerprint": "2321fcbd9f1dbe7ee7dcfacf34ba22a56b0c2f3dcd7e23d3d9776554a73966fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2321fcbd9f1dbe7ee7dcfacf34ba22a56b0c2f3dcd7e23d3d9776554a73966fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.paradedb-17"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `rust:1.96-slim-trixie` not pinned by digest"}, "properties": {"repobilityId": 110025, "scanner": "repobility-supply-chain", "fingerprint": "bbf57599c97861413d0371740020ee7a5fe27834b40cf1087325a5e1661fdc49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bbf57599c97861413d0371740020ee7a5fe27834b40cf1087325a5e1661fdc49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.stressgres"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `postgres:15-trixie` not pinned by digest"}, "properties": {"repobilityId": 110024, "scanner": "repobility-supply-chain", "fingerprint": "52a1b8330c0dcd86436c0123389aac4e736fe339874c6394a51ed3edda491294", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|52a1b8330c0dcd86436c0123389aac4e736fe339874c6394a51ed3edda491294"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.official-15"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `postgres:16-trixie` not pinned by digest"}, "properties": {"repobilityId": 110023, "scanner": "repobility-supply-chain", "fingerprint": "9b7e887b858f13556fa3947169773fa2d9469a2ad431d497fec64667cd1041ee", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b7e887b858f13556fa3947169773fa2d9469a2ad431d497fec64667cd1041ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.paradedb-16"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `rust:1.96-slim` not pinned by digest"}, "properties": {"repobilityId": 110022, "scanner": "repobility-supply-chain", "fingerprint": "d4039a5c8fad471a85f81b2d906ceb8cd5732123d130697c4d4d6d8785d6c0d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d4039a5c8fad471a85f81b2d906ceb8cd5732123d130697c4d4d6d8785d6c0d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.proptests"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/ComPWA/taplo-pre-commit` pinned to mutable rev `v0.9.3`"}, "properties": {"repobilityId": 110021, "scanner": "repobility-supply-chain", "fingerprint": "c53ceeb8f511ed178853c3d8cc4febfee5aba9b041457cd3fbaf6abacda5418d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c53ceeb8f511ed178853c3d8cc4febfee5aba9b041457cd3fbaf6abacda5418d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pylint-dev/pylint` pinned to mutable rev `v4.0.4`"}, "properties": {"repobilityId": 110020, "scanner": "repobility-supply-chain", "fingerprint": "636c2581d81f6f75a3e07a70138ed794d2a11c926689266b28d72b061027f095", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|636c2581d81f6f75a3e07a70138ed794d2a11c926689266b28d72b061027f095"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.0`"}, "properties": {"repobilityId": 110019, "scanner": "repobility-supply-chain", "fingerprint": "be614227bdcb7c21089c2220230a71c2a55ff0d911aa6bdaae780322d058406f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be614227bdcb7c21089c2220230a71c2a55ff0d911aa6bdaae780322d058406f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/doublify/pre-commit-rust` pinned to mutable rev `v1.0`"}, "properties": {"repobilityId": 110018, "scanner": "repobility-supply-chain", "fingerprint": "dfd7e0a7dfc6ec5b4cc4f7d7059e00ed78993a5de9785638f90f48433c83f7a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dfd7e0a7dfc6ec5b4cc4f7d7059e00ed78993a5de9785638f90f48433c83f7a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/kaechele/pre-commit-mirror-prettier` pinned to mutable rev `v3.8.1`"}, "properties": {"repobilityId": 110017, "scanner": "repobility-supply-chain", "fingerprint": "0781b74382b2f97b9ac6846c7f5ebeb54767e106e65c847e1afb49a7f2c8aec8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0781b74382b2f97b9ac6846c7f5ebeb54767e106e65c847e1afb49a7f2c8aec8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/igorshubovych/markdownlint-cli` pinned to mutable rev `v0.47.0`"}, "properties": {"repobilityId": 110016, "scanner": "repobility-supply-chain", "fingerprint": "238a00e14b3446bef7e20f45c0c5880a52f979cb4625e3d91c3cd1343279a2ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|238a00e14b3446bef7e20f45c0c5880a52f979cb4625e3d91c3cd1343279a2ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/koalaman/shellcheck-precommit` pinned to mutable rev `v0.11.0`"}, "properties": {"repobilityId": 110015, "scanner": "repobility-supply-chain", "fingerprint": "97913c2b27489ef6d3688549760485d829e6d513675b657bb357486a997bb156", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|97913c2b27489ef6d3688549760485d829e6d513675b657bb357486a997bb156"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/scop/pre-commit-shfmt` pinned to mutable rev `v3.12.0-2`"}, "properties": {"repobilityId": 110014, "scanner": "repobility-supply-chain", "fingerprint": "cbbd6086e4340ffc6ac09be030dd606b6e9ef3aef6c0ea65075e5c92392c9665", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cbbd6086e4340ffc6ac09be030dd606b6e9ef3aef6c0ea65075e5c92392c9665"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`"}, "properties": {"repobilityId": 110013, "scanner": "repobility-supply-chain", "fingerprint": "0a1d0117b5ae7bcda5c43a01a1e89419e3cc2dcf0b49e02b03856dcead7aa7fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a1d0117b5ae7bcda5c43a01a1e89419e3cc2dcf0b49e02b03856dcead7aa7fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 5}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110170, "scanner": "gitleaks", "fingerprint": "57e49cfc311d6516dcf7b4b42b79539f0241f1ff9c57e38e56c316489defe335", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|249|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 2497}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110169, "scanner": "gitleaks", "fingerprint": "0cfe1b1e737f2278da5fef7e95ce889c1aec2d939f4b7e46ac88646137c96dbd", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|246|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 2465}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110168, "scanner": "gitleaks", "fingerprint": "87028a9baecabfc7d32afb9bfa123bbfd8346b649d441b3495db1f08b94dbee4", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|243|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 2434}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110167, "scanner": "gitleaks", "fingerprint": "93ab5413801fc90d3792f235bd304123618f8e1c3d2310543f11a48d02c58a00", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|240|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 2404}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110166, "scanner": "gitleaks", "fingerprint": "06a6c7a504f71f4a80a1030f35e9e38c8274d8fba4bb6ec1eae93c99d66c1c91", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|237|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 2373}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110165, "scanner": "gitleaks", "fingerprint": "78664d3da1448c4c6a4143c5705f3a7df604a23b44e3e1e822a1682579ada2c2", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|125|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 1255}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110164, "scanner": "gitleaks", "fingerprint": "3500e70573edc00a68430212eac3958e09e0c1b32750f61fbee9e3e503ddff52", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|23|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 236}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110163, "scanner": "gitleaks", "fingerprint": "3f2863b05d44aa91551220521dec75ee7b8f8ccb274b5ef122d48539cdb8684e", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|20|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 204}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110162, "scanner": "gitleaks", "fingerprint": "d515e73ef3a3b74ea135a8bd676a2b9522c9576f3dfa5af8ce35d487ca62a428", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|17|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 173}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110161, "scanner": "gitleaks", "fingerprint": "7e44528c9179423e69f43cc3d4b27e71d9a1c85b43735e51ca15da00a1e60709", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|14|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 144}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110160, "scanner": "gitleaks", "fingerprint": "8b4015074d57b48114197717ceebb1ab07e9efef94e8f15ba92ce6499bc94540", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|11|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 111}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110159, "scanner": "gitleaks", "fingerprint": "10fb10cb59032201f19144b0d8b43f2662bacd8958859bb7a5f30002ccc1ae81", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|7|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 77}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110158, "scanner": "gitleaks", "fingerprint": "af379567d9f23d486cedff0470af8e7b3fb5b5ae4bb3c197ec438a7a56bf6639", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "Key: REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|4|key: redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pg_search/tests/pg_regress/expected/numeric_pushdown.out"}, "region": {"startLine": 48}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 110157, "scanner": "gitleaks", "fingerprint": "e1f84ccf17b5effd049009a68bdee146cf2a9525e1f5fcbced9d12bc30e4c968", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "apiKey\": \"<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|docs/docs.json|54|apikey : redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/docs.json"}, "region": {"startLine": 548}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 110155, "scanner": "repobility-docker", "fingerprint": "8361ba2ad75025e21042461bdfada9e6f1a71c98ea7ba0c4c82eecf06a038a5f", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "paradedb", "variable": "POSTGRES_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|8361ba2ad75025e21042461bdfada9e6f1a71c98ea7ba0c4c82eecf06a038a5f", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 110118, "scanner": "repobility-threat-engine", "fingerprint": "fde4288a3a8de82b7e7f0332daaaac449a9d06b52caeb0aca876c913545e08a9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fde4288a3a8de82b7e7f0332daaaac449a9d06b52caeb0aca876c913545e08a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/smoke_test_code_snippets.sh"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED013", "level": "error", "message": {"text": "[MINED013] Password In Url: https://user:password@host \u2014 leaks creds via logs, referrer, error messages."}, "properties": {"repobilityId": 110117, "scanner": "repobility-threat-engine", "fingerprint": "35347bd03d422c5f9719297fc847634fc55e968021279c0acc7e491f4b0b23d7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "password-in-url", "owasp": "A07:2021", "cwe_ids": ["CWE-200"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347928+00:00", "triaged_in_corpus": 20, "observations_count": 121646, "ai_coder_pattern_id": 37}, "scanner": "repobility-threat-engine", "correlation_key": "fp|35347bd03d422c5f9719297fc847634fc55e968021279c0acc7e491f4b0b23d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/drizzle_snippet_harness.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 110115, "scanner": "repobility-threat-engine", "fingerprint": "e73e7ad08e62c5efe739cbfc368326f190978f949e474f47d18679f5435eac6d", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "postgresql://postgres:antithesis-super-secret-password@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|token|1|token", "duplicate_count": 1, "duplicate_rule_ids": ["SEC022"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["e5384200c45f539c98bcb9dfc308f0265a1530f93856da8bfe2ecae8d0915915", "e73e7ad08e62c5efe739cbfc368326f190978f949e474f47d18679f5435eac6d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "stressgres/suites/antithesis/singleton_driver_background-merge.sh"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC022", "level": "error", "message": {"text": "[SEC022] Database URL With Embedded Credential: A database connection URL contains an embedded username and password. These URLs are often copied into defaults, docs, and scripts, then leak working credentials."}, "properties": {"repobilityId": 110114, "scanner": "repobility-threat-engine", "fingerprint": "3d52a3e322bdf79ff052b4f3f34c719c1fa52ac4c8772325bc3f37013bcd0aa3", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "postgres://postgres:postgres@", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC022", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|. token|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/drizzle_snippet_harness.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_BENCHMARKS_CHANNEL_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 110107, "scanner": "repobility-supply-chain", "fingerprint": "448c25f595e5eb9cc1c2dd529ba49d7915f514eef051b6e3ec1fe3b9ca826187", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|448c25f595e5eb9cc1c2dd529ba49d7915f514eef051b6e3ec1fe3b9ca826187"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-stressgres.yml"}, "region": {"startLine": 252}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_OAUTH_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110106, "scanner": "repobility-supply-chain", "fingerprint": "e8880226a4dd5cce5fdcd6fc401aab8a95dbe3f23d8c55a044b7492496f25bac", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e8880226a4dd5cce5fdcd6fc401aab8a95dbe3f23d8c55a044b7492496f25bac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-stressgres.yml"}, "region": {"startLine": 251}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.PARADEDB_GITHUB_APP_PRIVATE_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 110105, "scanner": "repobility-supply-chain", "fingerprint": "c7755efc6e3b410ae65898f6f6a3d8675c7c230b0227d0b73c40511d9d5b4ff9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7755efc6e3b410ae65898f6f6a3d8675c7c230b0227d0b73c40511d9d5b4ff9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-stressgres.yml"}, "region": {"startLine": 250}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_BENCHMARKS_CHANNEL_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 110104, "scanner": "repobility-supply-chain", "fingerprint": "28ccbdbd08e8d947d1b1ad183d198dd1abb7433f90298218c54efa401675ad78", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|28ccbdbd08e8d947d1b1ad183d198dd1abb7433f90298218c54efa401675ad78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-stressgres.yml"}, "region": {"startLine": 241}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_OAUTH_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110103, "scanner": "repobility-supply-chain", "fingerprint": "b97dbd9022b863ae19e49569fab3baf8c4cb5165e3ef4956014f74eb1f5f806e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b97dbd9022b863ae19e49569fab3baf8c4cb5165e3ef4956014f74eb1f5f806e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-stressgres.yml"}, "region": {"startLine": 240}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.PARADEDB_GITHUB_APP_PRIVATE_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 110102, "scanner": "repobility-supply-chain", "fingerprint": "6138cfb75db2b27072b297fa02dcbbe03c70dd0729bfbb47d557e0ff0b1f8feb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6138cfb75db2b27072b297fa02dcbbe03c70dd0729bfbb47d557e0ff0b1f8feb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-stressgres.yml"}, "region": {"startLine": 239}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_BENCHMARKS_CHANNEL_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 110101, "scanner": "repobility-supply-chain", "fingerprint": "e59ef45fb180123d6d53c3db8df51979a981881acc762c76250c6fb46f8ae44c", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e59ef45fb180123d6d53c3db8df51979a981881acc762c76250c6fb46f8ae44c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-stressgres.yml"}, "region": {"startLine": 230}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_OAUTH_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110100, "scanner": "repobility-supply-chain", "fingerprint": "d9ef173ae2135a7198df6ffab062035df131625bedd80a1c042e01a816921832", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9ef173ae2135a7198df6ffab062035df131625bedd80a1c042e01a816921832"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-stressgres.yml"}, "region": {"startLine": 229}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.PARADEDB_GITHUB_APP_PRIVATE_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 110099, "scanner": "repobility-supply-chain", "fingerprint": "fa3811fd639333b5d41966334969ca567e7d990c35bcf2d277a20ee2ab8848f1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fa3811fd639333b5d41966334969ca567e7d990c35bcf2d277a20ee2ab8848f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-stressgres.yml"}, "region": {"startLine": 228}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_GITHUB_CHANNEL_WEBHOOK_URL` on a `pull_request` trigger"}, "properties": {"repobilityId": 110091, "scanner": "repobility-supply-chain", "fingerprint": "b8d44ec0cda93f5bf145d54c6da74989b235cb996991626bf57c9e27c0ec0bd1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8d44ec0cda93f5bf145d54c6da74989b235cb996991626bf57c9e27c0ec0bd1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-benchmarks.yml"}, "region": {"startLine": 346}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_BENCHMARKS_CHANNEL_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 110090, "scanner": "repobility-supply-chain", "fingerprint": "489e099aa64fa2b702bc95f10a2a4059e2513fc4c50ba847d5e21252f5f33535", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|489e099aa64fa2b702bc95f10a2a4059e2513fc4c50ba847d5e21252f5f33535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-benchmarks.yml"}, "region": {"startLine": 337}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_OAUTH_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110089, "scanner": "repobility-supply-chain", "fingerprint": "225bdb7b5229ef561c5b5608b6b90132d4f24f60007237cdf2c7cff4313d06a4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|225bdb7b5229ef561c5b5608b6b90132d4f24f60007237cdf2c7cff4313d06a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-benchmarks.yml"}, "region": {"startLine": 336}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_BENCHMARKS_CHANNEL_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 110088, "scanner": "repobility-supply-chain", "fingerprint": "48403714f07253a37b2468d0ee9101be2246eb57ebf348c91f12c0e2c78786e9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|48403714f07253a37b2468d0ee9101be2246eb57ebf348c91f12c0e2c78786e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-benchmarks.yml"}, "region": {"startLine": 322}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_OAUTH_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110087, "scanner": "repobility-supply-chain", "fingerprint": "e786ba110b38572652167f2d2e4d2dc00d504ad4adbe729ad8d89175dc8a53b9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e786ba110b38572652167f2d2e4d2dc00d504ad4adbe729ad8d89175dc8a53b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-benchmarks.yml"}, "region": {"startLine": 321}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_BENCHMARKS_CHANNEL_ID` on a `pull_request` trigger"}, "properties": {"repobilityId": 110086, "scanner": "repobility-supply-chain", "fingerprint": "d8dd926178f730ee581953e12e760cf110ff977969c0541d80de77040afd55ba", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d8dd926178f730ee581953e12e760cf110ff977969c0541d80de77040afd55ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-benchmarks.yml"}, "region": {"startLine": 307}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_OAUTH_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110085, "scanner": "repobility-supply-chain", "fingerprint": "73a47ba69cbd77879e9f84755418a9b3cb21010a19c114cdaea9d3f1bbe530a5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73a47ba69cbd77879e9f84755418a9b3cb21010a19c114cdaea9d3f1bbe530a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-benchmarks.yml"}, "region": {"startLine": 306}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AWS_CI_SUBACCOUNT_GITHUB_ACTIONS_USER_AWS_SECRET_ACCESS_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 110084, "scanner": "repobility-supply-chain", "fingerprint": "aa9920c24c4dc680c6d06a26cae7db193429f5691e568fe5be6f6ae0d299bf5a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa9920c24c4dc680c6d06a26cae7db193429f5691e568fe5be6f6ae0d299bf5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-benchmarks.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.AWS_CI_SUBACCOUNT_GITHUB_ACTIONS_USER_AWS_ACCESS_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 110083, "scanner": "repobility-supply-chain", "fingerprint": "23c8577a47c4c30fcb48ac80103630d128cbaf6734e0d789066da9584ffd4546", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23c8577a47c4c30fcb48ac80103630d128cbaf6734e0d789066da9584ffd4546"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/benchmark-pg_search-benchmarks.yml"}, "region": {"startLine": 107}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110081, "scanner": "repobility-supply-chain", "fingerprint": "77197914e0ea65efabbc01dafd5c934850530781be0934703a6b1f42c13c82af", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|77197914e0ea65efabbc01dafd5c934850530781be0934703a6b1f42c13c82af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-pg_search.yml"}, "region": {"startLine": 369}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.SLACK_GITHUB_CHANNEL_WEBHOOK_URL` on a `pull_request` trigger"}, "properties": {"repobilityId": 110079, "scanner": "repobility-supply-chain", "fingerprint": "0055ae073d7be369ceea0ee5f2bd6727544eae06a16028c16c100a5440c46772", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0055ae073d7be369ceea0ee5f2bd6727544eae06a16028c16c100a5440c46772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/antithesis-trigger-test-run.yml"}, "region": {"startLine": 403}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ANTITHESIS_GITHUB_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110078, "scanner": "repobility-supply-chain", "fingerprint": "dcfc79b6d874f9fca89767610861b2492b3f6f8c231197763463ae37b940ddac", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dcfc79b6d874f9fca89767610861b2492b3f6f8c231197763463ae37b940ddac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/antithesis-trigger-test-run.yml"}, "region": {"startLine": 377}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ANTITHESIS_PASSWORD` on a `pull_request` trigger"}, "properties": {"repobilityId": 110077, "scanner": "repobility-supply-chain", "fingerprint": "84d0877dd8a2b838d4e7431ae62267ab7545f0bf96e91af9a76275a7f01817b7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84d0877dd8a2b838d4e7431ae62267ab7545f0bf96e91af9a76275a7f01817b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/antithesis-trigger-test-run.yml"}, "region": {"startLine": 376}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.ANTITHESIS_REGISTRY_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 110076, "scanner": "repobility-supply-chain", "fingerprint": "ad89fa6a1c9ea686a8d78fbdae7692a9e01379570202297904b6da15c788d188", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad89fa6a1c9ea686a8d78fbdae7692a9e01379570202297904b6da15c788d188"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/antithesis-trigger-test-run.yml"}, "region": {"startLine": 289}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.DOCKERHUB_ACCESS_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 110065, "scanner": "repobility-supply-chain", "fingerprint": "0a8bbf6417db6c14831b4366c6f87a22ce596476eb718b8915628d82a7ad5c39", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a8bbf6417db6c14831b4366c6f87a22ce596476eb718b8915628d82a7ad5c39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/check-typo.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.PARADEDB_GITHUB_APP_PRIVATE_KEY` on a `pull_request` trigger"}, "properties": {"repobilityId": 110062, "scanner": "repobility-supply-chain", "fingerprint": "01b847ace04415da09a5a6e3e5f93594af817dbbf994b65f7cfde81e73ddab8e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01b847ace04415da09a5a6e3e5f93594af817dbbf994b65f7cfde81e73ddab8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test-pg_search-nix.yml"}, "region": {"startLine": 46}}}]}]}]}