{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "GHSA-hr2v-4r36-88hr", "name": "helm.sh/helm/v3: GHSA-hr2v-4r36-88hr", "shortDescription": {"text": "helm.sh/helm/v3: GHSA-hr2v-4r36-88hr"}, "fullDescription": {"text": "Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Without .dockerignore, build context can include source history, local env files, dependencies, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-j88v-2chj-qfwx", "name": "github.com/jackc/pgx/v5: GHSA-j88v-2chj-qfwx", "shortDescription": {"text": "github.com/jackc/pgx/v5: GHSA-j88v-2chj-qfwx"}, "fullDescription": {"text": "pgx: SQL Injection via placeholder confusion with dollar quoted string literals"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5024", "name": "golang.org/x/sys: GO-2026-5024", "shortDescription": {"text": "golang.org/x/sys: GO-2026-5024"}, "fullDescription": {"text": "Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5030", "name": "golang.org/x/net: GO-2026-5030", "shortDescription": {"text": "golang.org/x/net: GO-2026-5030"}, "fullDescription": {"text": "Invoking duplicate attributes can cause XSS in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5029", "name": "golang.org/x/net: GO-2026-5029", "shortDescription": {"text": "golang.org/x/net: GO-2026-5029"}, "fullDescription": {"text": "Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5028", "name": "golang.org/x/net: GO-2026-5028", "shortDescription": {"text": "golang.org/x/net: GO-2026-5028"}, "fullDescription": {"text": "Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5027", "name": "golang.org/x/net: GO-2026-5027", "shortDescription": {"text": "golang.org/x/net: GO-2026-5027"}, "fullDescription": {"text": "Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5026", "name": "golang.org/x/net: GO-2026-5026", "shortDescription": {"text": "golang.org/x/net: GO-2026-5026"}, "fullDescription": {"text": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5025", "name": "golang.org/x/net: GO-2026-5025", "shortDescription": {"text": "golang.org/x/net: GO-2026-5025"}, "fullDescription": {"text": "Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4918", "name": "golang.org/x/net: GO-2026-4918", "shortDescription": {"text": "golang.org/x/net: GO-2026-4918"}, "fullDescription": {"text": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5033", "name": "golang.org/x/crypto: GO-2026-5033", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5033"}, "fullDescription": {"text": "Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5023", "name": "golang.org/x/crypto: GO-2026-5023", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5023"}, "fullDescription": {"text": "Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5021", "name": "golang.org/x/crypto: GO-2026-5021", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5021"}, "fullDescription": {"text": "Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5020", "name": "golang.org/x/crypto: GO-2026-5020", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5020"}, "fullDescription": {"text": "Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5019", "name": "golang.org/x/crypto: GO-2026-5019", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5019"}, "fullDescription": {"text": "Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5018", "name": "golang.org/x/crypto: GO-2026-5018", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5018"}, "fullDescription": {"text": "Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5017", "name": "golang.org/x/crypto: GO-2026-5017", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5017"}, "fullDescription": {"text": "Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5016", "name": "golang.org/x/crypto: GO-2026-5016", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5016"}, "fullDescription": {"text": "Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5015", "name": "golang.org/x/crypto: GO-2026-5015", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5015"}, "fullDescription": {"text": "Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5014", "name": "golang.org/x/crypto: GO-2026-5014", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5014"}, "fullDescription": {"text": "Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5013", "name": "golang.org/x/crypto: GO-2026-5013", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5013"}, "fullDescription": {"text": "Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5006", "name": "golang.org/x/crypto: GO-2026-5006", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5006"}, "fullDescription": {"text": "Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5005", "name": "golang.org/x/crypto: GO-2026-5005", "shortDescription": {"text": "golang.org/x/crypto: GO-2026-5005"}, "fullDescription": {"text": "Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-mh2q-q3fh-2475", "name": "go.opentelemetry.io/otel: GHSA-mh2q-q3fh-2475", "shortDescription": {"text": "go.opentelemetry.io/otel: GHSA-mh2q-q3fh-2475"}, "fullDescription": {"text": "OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4958", "name": "github.com/moby/spdystream: GO-2026-4958", "shortDescription": {"text": "github.com/moby/spdystream: GO-2026-4958"}, "fullDescription": {"text": "Uncontrolled resource consumption when parsing SPDY frames in github.com/moby/spdystream"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4771", "name": "github.com/jackc/pgx/v5: GO-2026-4771", "shortDescription": {"text": "github.com/jackc/pgx/v5: GO-2026-4771"}, "fullDescription": {"text": "CVE-2026-33815 in github.com/jackc/pgx"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-fqw6-gf59-qr4w", "name": "github.com/containerd/containerd: GHSA-fqw6-gf59-qr4w", "shortDescription": {"text": "github.com/containerd/containerd: GHSA-fqw6-gf59-qr4w"}, "fullDescription": {"text": "containerd user ID handling bypass allows runAsNonRoot evasion"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC061", "name": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from", "shortDescription": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "fullDescription": {"text": "If the JWT is live, invalidate by rotating the signing key. Move tokens out of source."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `peaceiris/actions-label-commenter` pinned to mutable ref `@v1`", "shortDescription": {"text": "Action `peaceiris/actions-label-commenter` pinned to mutable ref `@v1`"}, "fullDescription": {"text": "`uses: peaceiris/actions-label-commenter@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `gcr.io/distroless/static:nonroot` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `gcr.io/distroless/static:nonroot` not pinned by digest"}, "fullDescription": {"text": "`FROM gcr.io/distroless/static:nonroot` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "GHSA-p77j-4mvh-x3m3", "name": "google.golang.org/grpc: GHSA-p77j-4mvh-x3m3", "shortDescription": {"text": "google.golang.org/grpc: GHSA-p77j-4mvh-x3m3"}, "fullDescription": {"text": "gRPC-Go has an authorization bypass via missing leading slash in :path"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GHSA-9jj7-4m8r-rfcm", "name": "github.com/jackc/pgx/v5: GHSA-9jj7-4m8r-rfcm", "shortDescription": {"text": "github.com/jackc/pgx/v5: GHSA-9jj7-4m8r-rfcm"}, "fullDescription": {"text": "Memory-safety vulnerability in github.com/jackc/pgx/v5."}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "jwt", "name": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.", "shortDescription": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1097"}, "properties": {"repository": "meshery/meshery-operator", "repoUrl": "https://github.com/meshery/meshery-operator", "branch": "master"}, "results": [{"ruleId": "GHSA-hr2v-4r36-88hr", "level": "warning", "message": {"text": "helm.sh/helm/v3: GHSA-hr2v-4r36-88hr"}, "properties": {"repobilityId": 107578, "scanner": "osv-scanner", "fingerprint": "59882868b8fae2c5b6e50a1026dfc63cc40772ba3548464371cda2d5702b328a", "category": "dependency", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-helm-2026-35206", "CVE-2026-35206"], "package": "helm.sh/helm/v3", "rule_id": "GHSA-hr2v-4r36-88hr", "scanner": "osv-scanner", "correlation_key": "vuln|helm.sh/helm/v3|CVE-2026-35206|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 107548, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-j88v-2chj-qfwx", "level": "note", "message": {"text": "github.com/jackc/pgx/v5: GHSA-j88v-2chj-qfwx"}, "properties": {"repobilityId": 107553, "scanner": "osv-scanner", "fingerprint": "ebf4cab495a434b7a5d51fc5ad3320b9742fcb74a82d55076352c73f9560a54b", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-41889"], "package": "github.com/jackc/pgx/v5", "rule_id": "GHSA-j88v-2chj-qfwx", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/jackc/pgx/v5|CVE-2026-41889|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107515, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4ba4a860a046179d1c65b99249a3dd4de7e3c022cd163076fdb44c52dd17c92", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/meshsync/error.go", "duplicate_line": 1, "correlation_key": "fp|e4ba4a860a046179d1c65b99249a3dd4de7e3c022cd163076fdb44c52dd17c92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/meshsync/resources.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107514, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d93fda41ee29833fec29b7de1b52fd46c88e483585d680ae5f742dd6c6b8e589", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/broker/broker.go", "duplicate_line": 58, "correlation_key": "fp|d93fda41ee29833fec29b7de1b52fd46c88e483585d680ae5f742dd6c6b8e589"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/meshsync/meshsync.go"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107513, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3896c8ccf7d32cd91b7b963e65283f068040332065142e898974471e4eec96f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/meshsync/error.go", "duplicate_line": 1, "correlation_key": "fp|3896c8ccf7d32cd91b7b963e65283f068040332065142e898974471e4eec96f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/meshsync/meshsync.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107512, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2d0f72948b94b7a9bf8bf50e61d6a587497ca08569dee09319777e84f4bc49b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/broker/error.go", "duplicate_line": 12, "correlation_key": "fp|b2d0f72948b94b7a9bf8bf50e61d6a587497ca08569dee09319777e84f4bc49b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/meshsync/error.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107511, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16a598e6c34489d6d61fba279bc5f5508e6ad6a634458e39b72a2aa3d4f066c2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "controllers/broker_controller.go", "duplicate_line": 1, "correlation_key": "fp|16a598e6c34489d6d61fba279bc5f5508e6ad6a634458e39b72a2aa3d4f066c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/meshsync_controller.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107510, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9ed68bda510f5579e96523b2c0c28fda9cd19a25a03b5aaa10b2ec92d50e6ccf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "controllers/broker_controller.go", "duplicate_line": 1, "correlation_key": "fp|9ed68bda510f5579e96523b2c0c28fda9cd19a25a03b5aaa10b2ec92d50e6ccf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "controllers/error.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 107509, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dc71620ab7e142ef02d21a7d0a3f0690ebcc0f79dbc211dfc2d736c799e7fa7a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/v1alpha1/groupversion_info.go", "duplicate_line": 1, "correlation_key": "fp|dc71620ab7e142ef02d21a7d0a3f0690ebcc0f79dbc211dfc2d736c799e7fa7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/v1alpha1/meshsync_types.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 107546, "scanner": "repobility-threat-engine", "fingerprint": "eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|eae1e8fab9889f0af0f21f1e9feee5af5bdf56bab4b240b20c25ac339c8e81f0", "aggregated_count": 8}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 107545, "scanner": "repobility-threat-engine", "fingerprint": "522a38a244962ef0fb37a1da45e7b289da3dc1dc31ba9c4e9a93be715510096b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|522a38a244962ef0fb37a1da45e7b289da3dc1dc31ba9c4e9a93be715510096b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/v1alpha1/meshsync_types.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 107544, "scanner": "repobility-threat-engine", "fingerprint": "615a4cf3dbd83bbee9fa7632c1e787e86eee33eef2f17706eceac2dc6e6e54a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|615a4cf3dbd83bbee9fa7632c1e787e86eee33eef2f17706eceac2dc6e6e54a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/v1alpha1/groupversion_info.go"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 107543, "scanner": "repobility-threat-engine", "fingerprint": "287ebe8cbd96f4f741c1df2346437e1d6e9dd99fcb4b46175c74396d38e43f7c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|287ebe8cbd96f4f741c1df2346437e1d6e9dd99fcb4b46175c74396d38e43f7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/v1alpha1/broker_types.go"}, "region": {"startLine": 6}}}]}, {"ruleId": "GO-2026-5024", "level": "error", "message": {"text": "golang.org/x/sys: GO-2026-5024"}, "properties": {"repobilityId": 107576, "scanner": "osv-scanner", "fingerprint": "79f10c25369703a3754463aae8a0158f89425541907e3182ad0da8006916ee19", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39824"], "package": "golang.org/x/sys", "rule_id": "GO-2026-5024", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/sys|CVE-2026-39824|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5030", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5030"}, "properties": {"repobilityId": 107575, "scanner": "osv-scanner", "fingerprint": "f56f13f5fd0d02e616781fb4e263264064c55d496b56f34e2e697db0a1750dd6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-27136"], "package": "golang.org/x/net", "rule_id": "GO-2026-5030", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-27136|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5029", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5029"}, "properties": {"repobilityId": 107574, "scanner": "osv-scanner", "fingerprint": "346c97831be09b89603f8819967a1caf39f8f572a2d5dc5925a9ae0a6b98856e", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25681"], "package": "golang.org/x/net", "rule_id": "GO-2026-5029", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25681|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5028", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5028"}, "properties": {"repobilityId": 107573, "scanner": "osv-scanner", "fingerprint": "796445bee725d6616761216b224cb420e85017321d01a56e43bf03efe210c5f5", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-25680"], "package": "golang.org/x/net", "rule_id": "GO-2026-5028", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-25680|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5027", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5027"}, "properties": {"repobilityId": 107572, "scanner": "osv-scanner", "fingerprint": "acf4f4ae909e3489f7be9bc36808d846c836956d4a36bc26ba43890f213b1436", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42502"], "package": "golang.org/x/net", "rule_id": "GO-2026-5027", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42502|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5026", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5026"}, "properties": {"repobilityId": 107571, "scanner": "osv-scanner", "fingerprint": "2a9be343e7c5c43785f4d36c5506f23f8b055fb0d461a84395ad634441be541a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39821"], "package": "golang.org/x/net", "rule_id": "GO-2026-5026", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-39821|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5025", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-5025"}, "properties": {"repobilityId": 107570, "scanner": "osv-scanner", "fingerprint": "be62fe7df92442560f1a21cceb16f1ca23f3e9cbe2e00b9699b8ae286a0012ce", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42506"], "package": "golang.org/x/net", "rule_id": "GO-2026-5025", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-42506|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4918", "level": "error", "message": {"text": "golang.org/x/net: GO-2026-4918"}, "properties": {"repobilityId": 107569, "scanner": "osv-scanner", "fingerprint": "d07e75663319e62f27408375428863546ab8185771ef2447feb53879555f4916", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["BIT-golang-2026-33814", "CVE-2026-33814"], "package": "golang.org/x/net", "rule_id": "GO-2026-4918", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/net|CVE-2026-33814|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5033", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5033"}, "properties": {"repobilityId": 107568, "scanner": "osv-scanner", "fingerprint": "ad1d47a6aef958448f22a42c2d60392dc7008e25932b619f84e66221eb131e95", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46598"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5033", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46598|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5023", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5023"}, "properties": {"repobilityId": 107567, "scanner": "osv-scanner", "fingerprint": "2d612844c17f0f3569717978b60331059540fefc1c2346e38678f12228b2ebdb", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46595"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5023", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46595|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5021", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5021"}, "properties": {"repobilityId": 107566, "scanner": "osv-scanner", "fingerprint": "9cfea8adee448a2428e663f481c352e77e2cd449655562d5b118efedfb7da4f8", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42508"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5021", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-42508|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5020", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5020"}, "properties": {"repobilityId": 107565, "scanner": "osv-scanner", "fingerprint": "93b646b3920c3a2193a1efdebfdfa5196ce3475c1dc5bae6355a6e1f9cbf460a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39834"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5020", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39834|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5019", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5019"}, "properties": {"repobilityId": 107564, "scanner": "osv-scanner", "fingerprint": "345537a037a5b3177ae140a9e9c405ec64da8434ead8931918ec7573a6ce20b3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39831"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5019", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39831|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5018", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5018"}, "properties": {"repobilityId": 107563, "scanner": "osv-scanner", "fingerprint": "949f77a9611832376c508d55bf01659a712274ac105d24e504e15dd5e1dbf16f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39829"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5018", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39829|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5017", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5017"}, "properties": {"repobilityId": 107562, "scanner": "osv-scanner", "fingerprint": "2930f2404722144c851cb9051c8ebf92002718de31c8d9fd7a648ca0f2ef6ada", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39830"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5017", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39830|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5016", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5016"}, "properties": {"repobilityId": 107561, "scanner": "osv-scanner", "fingerprint": "ac67bbb6c13f69fe38c8bbe16cf8fe7e2ed0ab66e0c5b15dba53f20834fe3d86", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39827"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5016", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39827|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5015", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5015"}, "properties": {"repobilityId": 107560, "scanner": "osv-scanner", "fingerprint": "2e502398ad2ca483c07bc43556f4c4eb205c7761c2c9cd89d2d1aee4f087438f", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39835"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5015", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39835|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5014", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5014"}, "properties": {"repobilityId": 107559, "scanner": "osv-scanner", "fingerprint": "8daae6fef532b43e67fa01a55acbd01bab03899e2f5d4ad247bee8e8442024dd", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39828"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5014", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39828|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5013", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5013"}, "properties": {"repobilityId": 107558, "scanner": "osv-scanner", "fingerprint": "ccaa102abe73278dc6503207bd926859d7ba8955ec415d747a72b6b58b6a3dc3", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46597"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5013", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-46597|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5006", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5006"}, "properties": {"repobilityId": 107557, "scanner": "osv-scanner", "fingerprint": "8b88451b530e190692c439835073029a47d5722b48b6a00ddb5e3369824775a2", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39832"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5006", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39832|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5005", "level": "error", "message": {"text": "golang.org/x/crypto: GO-2026-5005"}, "properties": {"repobilityId": 107556, "scanner": "osv-scanner", "fingerprint": "ae98cdae0aac80f7b5a30a91f9180936ed79f348030d056d429d20e8b082f033", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-39833"], "package": "golang.org/x/crypto", "rule_id": "GO-2026-5005", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/crypto|CVE-2026-39833|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-mh2q-q3fh-2475", "level": "error", "message": {"text": "go.opentelemetry.io/otel: GHSA-mh2q-q3fh-2475"}, "properties": {"repobilityId": 107555, "scanner": "osv-scanner", "fingerprint": "064896838da2337f5de42b9052e70ba0bf9ff625bb5109bdf2495a450b1cd32d", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-29181"], "package": "go.opentelemetry.io/otel", "rule_id": "GHSA-mh2q-q3fh-2475", "scanner": "osv-scanner", "correlation_key": "vuln|go.opentelemetry.io/otel|CVE-2026-29181|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4958", "level": "error", "message": {"text": "github.com/moby/spdystream: GO-2026-4958"}, "properties": {"repobilityId": 107554, "scanner": "osv-scanner", "fingerprint": "2d9190aeb10e32203cb7f040ff584ddf5ae4f56eef74df361b94c6584691b4b6", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-35469", "GHSA-pc3f-x583-g7j2"], "package": "github.com/moby/spdystream", "rule_id": "GO-2026-4958", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/moby/spdystream|CVE-2026-35469|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-pc3f-x583-g7j2", "GO-2026-4958"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["1f27ce795bc8b294673d411f8a0bac8d6e4513868f40924a0c24af8f1099cc3d", "2d9190aeb10e32203cb7f040ff584ddf5ae4f56eef74df361b94c6584691b4b6"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4771", "level": "error", "message": {"text": "github.com/jackc/pgx/v5: GO-2026-4771"}, "properties": {"repobilityId": 107551, "scanner": "osv-scanner", "fingerprint": "1a16bd6ffacb08b49ebcbcf3fb6f23270129171b846ac0377a62c6a255e53985", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33815", "GHSA-xgrm-4fwx-7qm8"], "package": "github.com/jackc/pgx/v5", "rule_id": "GO-2026-4771", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/jackc/pgx/v5|CVE-2026-33815|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-fqw6-gf59-qr4w", "level": "error", "message": {"text": "github.com/containerd/containerd: GHSA-fqw6-gf59-qr4w"}, "properties": {"repobilityId": 107550, "scanner": "osv-scanner", "fingerprint": "392731f1e8ccaf0dfd1c1dbf919f87599c9db4e9d0139cdab41e321b18cbd67a", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46680"], "package": "github.com/containerd/containerd", "rule_id": "GHSA-fqw6-gf59-qr4w", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2026-46680|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC061", "level": "error", "message": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "properties": {"repobilityId": 107547, "scanner": "repobility-threat-engine", "fingerprint": "55a8b02f220f7c4a97198b96795d5fc009e0aa2706f149a3560ccc5c85f70a92", "category": "secret", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJqdGkiOiJPRFhJSVI2Wlg1Q1AzMlFJTFczWFBENEtTSDYzUFNNSEZHUkpa", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC061", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "secret|pkg/broker/resources.go|8|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/broker/resources.go"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peaceiris/actions-label-commenter` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 107542, "scanner": "repobility-supply-chain", "fingerprint": "1bd7cbd7cda09aafb2f76be6bf0bd5c3d79e61f5f6bc6cdfd8d171d5b4da7f65", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1bd7cbd7cda09aafb2f76be6bf0bd5c3d79e61f5f6bc6cdfd8d171d5b4da7f65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/label-commenter.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 107541, "scanner": "repobility-supply-chain", "fingerprint": "dbd734ca77f74fa7cfb278d029efba1fbd51a836c4b7b1ab16d7de7d4c41faf5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dbd734ca77f74fa7cfb278d029efba1fbd51a836c4b7b1ab16d7de7d4c41faf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/label-commenter.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `slackapi/slack-github-action` pinned to mutable ref `@v2.1.1`"}, "properties": {"repobilityId": 107540, "scanner": "repobility-supply-chain", "fingerprint": "3ae26f3f7fe63fe53b7aae38b04f9036208b13c9979e7e5b35c72b20e7c5c141", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ae26f3f7fe63fe53b7aae38b04f9036208b13c9979e7e5b35c72b20e7c5c141"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/slack.yaml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `slackapi/slack-github-action` pinned to mutable ref `@v2.1.1`"}, "properties": {"repobilityId": 107539, "scanner": "repobility-supply-chain", "fingerprint": "813ee403d9331d4e71a4e07a31e1df3ac416065c53fff3a97b031b58d06ddcd2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|813ee403d9331d4e71a4e07a31e1df3ac416065c53fff3a97b031b58d06ddcd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/slack.yaml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 107538, "scanner": "repobility-supply-chain", "fingerprint": "21e29ff41933c4b34baf78abd9b8a825f144726c9f8f76a1a072617e84fd1e62", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|21e29ff41933c4b34baf78abd9b8a825f144726c9f8f76a1a072617e84fd1e62"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/error-ref-publisher.yaml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `stefanzweifel/git-auto-commit-action` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 107537, "scanner": "repobility-supply-chain", "fingerprint": "2a49070aa8a270dc447f340143596ea7f54c174c094c7b707486e1b7be82743b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2a49070aa8a270dc447f340143596ea7f54c174c094c7b707486e1b7be82743b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/error-ref-publisher.yaml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 107536, "scanner": "repobility-supply-chain", "fingerprint": "2b0a89c9fc0addbd679db19c9cfe3008ae14f41ebc88bd9d2785d2712a37e6b0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b0a89c9fc0addbd679db19c9cfe3008ae14f41ebc88bd9d2785d2712a37e6b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/error-ref-publisher.yaml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 107535, "scanner": "repobility-supply-chain", "fingerprint": "f21e02b05a7ec32fa165e4a74d3d63da95dc83b0463137c6f2047bcd5f5d0c8f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f21e02b05a7ec32fa165e4a74d3d63da95dc83b0463137c6f2047bcd5f5d0c8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/error-ref-publisher.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `release-drafter/release-drafter` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 107534, "scanner": "repobility-supply-chain", "fingerprint": "39b51ccf6d6d61d32743840916bbb6a9f0509b576a6a6e1da18e57f29ac6dd0c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39b51ccf6d6d61d32743840916bbb6a9f0509b576a6a6e1da18e57f29ac6dd0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-drafter.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 107533, "scanner": "repobility-supply-chain", "fingerprint": "129c1f0e6adbeff0824fd0c5ceae5562b1e8957092e3d66afb61209542285516", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|129c1f0e6adbeff0824fd0c5ceae5562b1e8957092e3d66afb61209542285516"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/integration-tests-ci.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `helm/kind-action` pinned to mutable ref `@v1.10.0`"}, "properties": {"repobilityId": 107532, "scanner": "repobility-supply-chain", "fingerprint": "ffb1c97a8b3abaeb1dbfb8af704f9e6d3e27532cca80eb1eb4f60b181bb18fe7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffb1c97a8b3abaeb1dbfb8af704f9e6d3e27532cca80eb1eb4f60b181bb18fe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/integration-tests-ci.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 107531, "scanner": "repobility-supply-chain", "fingerprint": "7558d1791acb62d43772a2558621764ba781441ec41edebe002fcc329774ff6c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7558d1791acb62d43772a2558621764ba781441ec41edebe002fcc329774ff6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/integration-tests-ci.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 107530, "scanner": "repobility-supply-chain", "fingerprint": "858cba0df257c88ef64ca27461c222d041044427a4373f81724aab4e050888c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|858cba0df257c88ef64ca27461c222d041044427a4373f81724aab4e050888c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/integration-tests-ci.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 107529, "scanner": "repobility-supply-chain", "fingerprint": "39ba34a92927293bd6bbcd1896541a48fd3211735a128150a5c501434732bbe7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|39ba34a92927293bd6bbcd1896541a48fd3211735a128150a5c501434732bbe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/approve-to-run-ci.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 107528, "scanner": "repobility-supply-chain", "fingerprint": "449af540db24ea52250d0154ae169eed44293f2bfb59bbbef86d5853abd68263", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|449af540db24ea52250d0154ae169eed44293f2bfb59bbbef86d5853abd68263"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/approve-to-run-ci.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 107527, "scanner": "repobility-supply-chain", "fingerprint": "b202486408a8584850a8335e0867f65fbfa9c0831788a279ce8f2ee53b1e616d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b202486408a8584850a8335e0867f65fbfa9c0831788a279ce8f2ee53b1e616d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/approve-to-run-ci.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 107526, "scanner": "repobility-supply-chain", "fingerprint": "278a1d2dba1bbcaa4ffac04eddcb0a5fe6dd76352bc389a93b9f46211e78ce70", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|278a1d2dba1bbcaa4ffac04eddcb0a5fe6dd76352bc389a93b9f46211e78ce70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/approve-to-run-ci.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 107525, "scanner": "repobility-supply-chain", "fingerprint": "0cb50e5357fafc93a0e3d7411045a5f733bab13f4d794c9d1374e900a0663ead", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cb50e5357fafc93a0e3d7411045a5f733bab13f4d794c9d1374e900a0663ead"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/approve-to-run-ci.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 107524, "scanner": "repobility-supply-chain", "fingerprint": "cd584e804253f48f4a884ff2d7ac27e51717afca4f5cc335aca4b4826e7bb87b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd584e804253f48f4a884ff2d7ac27e51717afca4f5cc335aca4b4826e7bb87b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/approve-to-run-ci.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `golangci/golangci-lint-action` pinned to mutable ref `@v9`"}, "properties": {"repobilityId": 107523, "scanner": "repobility-supply-chain", "fingerprint": "fb9b6ce97daa6238cfbd21636b83f5bf36b40094d498e3e0ff3676eee311ca1b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fb9b6ce97daa6238cfbd21636b83f5bf36b40094d498e3e0ff3676eee311ca1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/approve-to-run-ci.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-go` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 107522, "scanner": "repobility-supply-chain", "fingerprint": "5436868015d8075c4c38c482c07bfa232e2ac1b75576b616aaed80f590a075f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5436868015d8075c4c38c482c07bfa232e2ac1b75576b616aaed80f590a075f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/approve-to-run-ci.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 107521, "scanner": "repobility-supply-chain", "fingerprint": "8b92bfde98a9138a923ebdee9a9aef33a5ca5dbe2b8531b7371f57a123413e98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8b92bfde98a9138a923ebdee9a9aef33a5ca5dbe2b8531b7371f57a123413e98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/approve-to-run-ci.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `azure/docker-login` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 107520, "scanner": "repobility-supply-chain", "fingerprint": "e94a01c583d76a61dccc7f3b5aa01b09d3aacb8da53a5a35673e041f2adffba8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e94a01c583d76a61dccc7f3b5aa01b09d3aacb8da53a5a35673e041f2adffba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-release.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 107519, "scanner": "repobility-supply-chain", "fingerprint": "be5d14cf8955735d5ea243743a7675b1173fe378d6a959a36598fd436a63810b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be5d14cf8955735d5ea243743a7675b1173fe378d6a959a36598fd436a63810b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build-and-release.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `pullreminders/slack-action` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 107518, "scanner": "repobility-supply-chain", "fingerprint": "4f14d095180925c12e3f6c7bb1ace9e03857eeb6056302513d67107391539618", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4f14d095180925c12e3f6c7bb1ace9e03857eeb6056302513d67107391539618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/newcomer-alert.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `gcr.io/distroless/static:nonroot` not pinned by digest"}, "properties": {"repobilityId": 107517, "scanner": "repobility-supply-chain", "fingerprint": "7cb80b8b891a98ba945bde0d8c48735ae4946b0df35e798451b732a18daa615c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7cb80b8b891a98ba945bde0d8c48735ae4946b0df35e798451b732a18daa615c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `golang:1.26.4` not pinned by digest"}, "properties": {"repobilityId": 107516, "scanner": "repobility-supply-chain", "fingerprint": "bd4246eb9b3c661c243480abe1e5ae512a03e548b020f847e8bc067afd12f0cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd4246eb9b3c661c243480abe1e5ae512a03e548b020f847e8bc067afd12f0cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "GHSA-p77j-4mvh-x3m3", "level": "error", "message": {"text": "google.golang.org/grpc: GHSA-p77j-4mvh-x3m3"}, "properties": {"repobilityId": 107577, "scanner": "osv-scanner", "fingerprint": "839c639f99d987cc51e4c7791f0d17b2f5813a35ea0b64f0b2f22a19ff2880f8", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33186", "GO-2026-4762"], "package": "google.golang.org/grpc", "rule_id": "GHSA-p77j-4mvh-x3m3", "scanner": "osv-scanner", "correlation_key": "vuln|google.golang.org/grpc|CVE-2026-33186|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-p77j-4mvh-x3m3", "GO-2026-4762"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["006b95240250d32e48951bd4a59590a26f554f1c27926c81c3b7b82c36e8908a", "839c639f99d987cc51e4c7791f0d17b2f5813a35ea0b64f0b2f22a19ff2880f8"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-9jj7-4m8r-rfcm", "level": "error", "message": {"text": "github.com/jackc/pgx/v5: GHSA-9jj7-4m8r-rfcm"}, "properties": {"repobilityId": 107552, "scanner": "osv-scanner", "fingerprint": "ef9ee9e0c66e0363f6cb362c076cc8831981a3704c4f28aac019d7b12f282959", "category": "dependency", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "", "aliases": ["CVE-2026-33816", "GO-2026-4772"], "package": "github.com/jackc/pgx/v5", "rule_id": "GHSA-9jj7-4m8r-rfcm", "scanner": "osv-scanner", "correlation_key": "vuln|github.com/jackc/pgx/v5|CVE-2026-33816|go.mod", "duplicate_count": 1, "duplicate_rule_ids": ["GHSA-9jj7-4m8r-rfcm", "GO-2026-4772"], "duplicate_scanners": ["osv-scanner"], "duplicate_fingerprints": ["3522924f22196f0a71b0c5cb7af4375033cbccfe314543254805594682c6adf3", "ef9ee9e0c66e0363f6cb362c076cc8831981a3704c4f28aac019d7b12f282959"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "jwt", "level": "error", "message": {"text": "Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data."}, "properties": {"repobilityId": 107549, "scanner": "gitleaks", "fingerprint": "59322baf9858f25956d36950f4b1fa52b9eca37ab9877041ebd4d93ddee5e02f", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "REDACTED", "rule_id": "jwt", "scanner": "gitleaks", "detector": "jwt", "correlation_key": "secret|pkg/broker/resources.go|8|redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/broker/resources.go"}, "region": {"startLine": 82}}}]}]}]}