{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR003", "name": "Compose service `imhex_web` image uses the latest tag", "shortDescription": {"text": "Compose service `imhex_web` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Images without explicit tags resolve to a mutable default tag, which weakens reproducibility and review."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Splitting apt update and install across layers can reuse stale package indexes and make builds less reliable."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DEPCUR-GHA", "name": "GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)", "shortDescription": {"text": "GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v4` is 3 major version(s) behind the latest published release v7.0.1. Old action majors run on deprecated runner images / Node versions and miss upstream fixes. This is the exact 'outdated GitHub Action' class Dependabot raises \u2014 and which Repobility had no coverage for."}, "properties": {"scanner": "repobility-dependency-currency", "category": "dependency", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC007", "name": "Generated build artifact directory is present at repository root", "shortDescription": {"text": "Generated build artifact directory is present at repository root"}, "fullDescription": {"text": "Committed build outputs and caches make scans slower, confuse duplicate-code checks, and give AI agents stale generated code to imitate."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled ", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes e"}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `almalinux:10` unpinned", "shortDescription": {"text": "Workflow container/services image `almalinux:10` unpinned"}, "fullDescription": {"text": "`container/services image: almalinux:10` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/upload-artifact` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/931"}, "properties": {"repository": "WerWolv/ImHex", "repoUrl": "https://github.com/WerWolv/ImHex", "branch": "master"}, "results": [{"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `imhex_web` image uses the latest tag"}, "properties": {"repobilityId": 87209, "scanner": "repobility-docker", "fingerprint": "88cd72c35cc10b8f4524e264c7fcf16515689618dacb27d5d6cdf1ed75ab0b09", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "imhex_web:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|88cd72c35cc10b8f4524e264c7fcf16515689618dacb27d5d6cdf1ed75ab0b09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/web/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 87208, "scanner": "repobility-docker", "fingerprint": "572fcafaf0035bb0d248a43d359184b364571e02f4e85f16bed33a6d7030c360", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|572fcafaf0035bb0d248a43d359184b364571e02f4e85f16bed33a6d7030c360"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/web/Dockerfile"}, "region": {"startLine": 108}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 87207, "scanner": "repobility-docker", "fingerprint": "197edc4f523603de4dd16d8ccbbced6597fa381a9270c8b80dd217378f56277a", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|197edc4f523603de4dd16d8ccbbced6597fa381a9270c8b80dd217378f56277a", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/web/Dockerfile"}, "region": {"startLine": 109}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 87206, "scanner": "repobility-docker", "fingerprint": "d95f80a54d25c7022f98d81e3a17946e5c6afde3d71c41824bf2ee9a884223a1", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "nginx", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d95f80a54d25c7022f98d81e3a17946e5c6afde3d71c41824bf2ee9a884223a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/web/Dockerfile"}, "region": {"startLine": 108}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 87205, "scanner": "repobility-docker", "fingerprint": "7d3856a6f589eb62c76632775006272413ae1c54a56ea9bc8ebf965248ee2fd3", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7d3856a6f589eb62c76632775006272413ae1c54a56ea9bc8ebf965248ee2fd3", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/web/Dockerfile"}, "region": {"startLine": 87}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 87203, "scanner": "repobility-docker", "fingerprint": "7ceca83467430388a1f24ffd45a3578d4db1438e42063af87fcefc45098d5ddd", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7ceca83467430388a1f24ffd45a3578d4db1438e42063af87fcefc45098d5ddd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/web/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 87202, "scanner": "repobility-docker", "fingerprint": "ef2502e560aa8ba7ffbff45b87620508bf33512db2c98b49232b5841817c391c", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "archlinux:latest", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ef2502e560aa8ba7ffbff45b87620508bf33512db2c98b49232b5841817c391c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/Arch/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 87201, "scanner": "repobility-docker", "fingerprint": "bdd76c7d03cd6d454c523e52c378bc0a2bee3581ad1622e190cf0a7ca8aaa80b", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "archlinux:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|bdd76c7d03cd6d454c523e52c378bc0a2bee3581ad1622e190cf0a7ca8aaa80b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/Arch/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 87199, "scanner": "repobility-docker", "fingerprint": "8dc8abf6eb725f16f98259ef3973d5c13e23a5d48b085bb97fbaa9583a1f9cb0", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|8dc8abf6eb725f16f98259ef3973d5c13e23a5d48b085bb97fbaa9583a1f9cb0", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/AppImage/Dockerfile"}, "region": {"startLine": 27}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 87188, "scanner": "repobility-dependency-currency", "fingerprint": "a4a937f18f8af6a4abd894ea5dec95383841d94f2f9bbb73a4ac2eb8c4023d67", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|a4a937f18f8af6a4abd894ea5dec95383841d94f2f9bbb73a4ac2eb8c4023d67", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 171}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/attest-build-provenance@v2` is 2 major version(s) behind (latest v4.1.0)"}, "properties": {"repobilityId": 87187, "scanner": "repobility-dependency-currency", "fingerprint": "852d11b330fdbaf78bcee429810962632ab6c19b9d67d5e61073d6971aed6039", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/attest-build-provenance", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v4.1.0", "correlation_key": "fp|852d11b330fdbaf78bcee429810962632ab6c19b9d67d5e61073d6971aed6039", "current_version": "v2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 164}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/setup-dotnet@v4` is 1 major version(s) behind (latest v5.3.0)"}, "properties": {"repobilityId": 87186, "scanner": "repobility-dependency-currency", "fingerprint": "babd9055b1835e30e171a07d06653d2f7edb4e656eb129f8d06d04de82e53202", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/setup-dotnet", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v5.3.0", "correlation_key": "fp|babd9055b1835e30e171a07d06653d2f7edb4e656eb129f8d06d04de82e53202", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 87183, "scanner": "repobility-dependency-currency", "fingerprint": "9d51fbe43dfd1db51134780857e6b590573c536fc7a39586a04abdee93a990b8", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|9d51fbe43dfd1db51134780857e6b590573c536fc7a39586a04abdee93a990b8", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `KSXGitHub/github-actions-deploy-aur@v2` is 2 major version(s) behind (latest v4.1.3)"}, "properties": {"repobilityId": 87181, "scanner": "repobility-dependency-currency", "fingerprint": "5f1a79ac2e6068e205da9faeb8b36d1ad52155bf725200ea948b499b7c90d2fd", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "KSXGitHub/github-actions-deploy-aur", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v4.1.3", "correlation_key": "fp|5f1a79ac2e6068e205da9faeb8b36d1ad52155bf725200ea948b499b7c90d2fd", "current_version": "v2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 219}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `signpath/github-action-submit-signing-request@v1` is 1 major version(s) behind (latest v2)"}, "properties": {"repobilityId": 87180, "scanner": "repobility-dependency-currency", "fingerprint": "14d17d73f26d24a15eb7e8c3a06bef654edfc0ad50eff98cf2a0862c57911cb0", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "signpath/github-action-submit-signing-request", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v2", "correlation_key": "fp|14d17d73f26d24a15eb7e8c3a06bef654edfc0ad50eff98cf2a0862c57911cb0", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 161}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 87179, "scanner": "repobility-dependency-currency", "fingerprint": "c3433135a3e13d712a25db72b2622866bbe3c53b67b857e2848836e9805a0608", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|c3433135a3e13d712a25db72b2622866bbe3c53b67b857e2848836e9805a0608", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `dawidd6/action-download-artifact@v6` is 15 major version(s) behind (latest v21)"}, "properties": {"repobilityId": 87178, "scanner": "repobility-dependency-currency", "fingerprint": "eb9e0acdc9f2b60d2f1ffa1f5dada75ea3e36f15619dd894acb4d80e7027951e", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "15 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "dawidd6/action-download-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v21", "correlation_key": "fp|eb9e0acdc9f2b60d2f1ffa1f5dada75ea3e36f15619dd894acb4d80e7027951e", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 87176, "scanner": "repobility-dependency-currency", "fingerprint": "d2b9f5073dc35288129c75ebf933eb8859962ed69d30edc0f3124ffe043e5541", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|d2b9f5073dc35288129c75ebf933eb8859962ed69d30edc0f3124ffe043e5541", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 87174, "scanner": "repobility-dependency-currency", "fingerprint": "65268ce0f9f19f24e14a48f5f2dfc9bf12ea0841e79edb0f60eb8b479964aa56", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|65268ce0f9f19f24e14a48f5f2dfc9bf12ea0841e79edb0f60eb8b479964aa56", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/upload-artifact@v4` is 3 major version(s) behind (latest v7.0.1)"}, "properties": {"repobilityId": 87173, "scanner": "repobility-dependency-currency", "fingerprint": "f70abca5c0b1d59fbc1ca689a9afd79ca318675a10827cbd4d74921352a908ac", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "3 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/upload-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v7.0.1", "correlation_key": "fp|f70abca5c0b1d59fbc1ca689a9afd79ca318675a10827cbd4d74921352a908ac", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dl-cache.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 87172, "scanner": "repobility-dependency-currency", "fingerprint": "3960520c76a8e72082e00da9b07df44eb45562f22d5401c5370a11a008abb861", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|3960520c76a8e72082e00da9b07df44eb45562f22d5401c5370a11a008abb861", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dl-cache.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `dawidd6/action-download-artifact@v6` is 15 major version(s) behind (latest v21)"}, "properties": {"repobilityId": 87169, "scanner": "repobility-dependency-currency", "fingerprint": "6922cff476d788dee0892fc5dc3b9f253b51ba5e2595860e86f3c6257a861cae", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "15 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "dawidd6/action-download-artifact", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v21", "correlation_key": "fp|6922cff476d788dee0892fc5dc3b9f253b51ba5e2595860e86f3c6257a861cae", "current_version": "v6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly_release.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 87168, "scanner": "repobility-dependency-currency", "fingerprint": "5927319372943ea9228abf068b9eff7e465d162c18ea72220c772eab91229fb3", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|5927319372943ea9228abf068b9eff7e465d162c18ea72220c772eab91229fb3", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly_release.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/stale@v5` is 5 major version(s) behind (latest v10.3.0)"}, "properties": {"repobilityId": 87167, "scanner": "repobility-dependency-currency", "fingerprint": "febd7dde75b41a18211fbecc35d4c2a2c7081a514a4cf39c090247f7527ff866", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "5 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/stale", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v10.3.0", "correlation_key": "fp|febd7dde75b41a18211fbecc35d4c2a2c7081a514a4cf39c090247f7527ff866", "current_version": "v5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale_issues.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/cache@v4` is 1 major version(s) behind (latest v5.0.5)"}, "properties": {"repobilityId": 87166, "scanner": "repobility-dependency-currency", "fingerprint": "692d6f45c49c7e34a9ac90d839a3784f4985211f5931ae90583af6d4f20fbe3f", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "1 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/cache", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v5.0.5", "correlation_key": "fp|692d6f45c49c7e34a9ac90d839a3784f4985211f5931ae90583af6d4f20fbe3f", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "DEPCUR-GHA", "level": "warning", "message": {"text": "GitHub Action `actions/checkout@v4` is 2 major version(s) behind (latest v6.0.3)"}, "properties": {"repobilityId": 87164, "scanner": "repobility-dependency-currency", "fingerprint": "8599ab27b4dfb36780c64821c198b1d97a05178aedc710f78357fd79b7ac9f6a", "category": "dependency", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "2 major version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "actions/checkout", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v6.0.3", "correlation_key": "fp|8599ab27b4dfb36780c64821c198b1d97a05178aedc710f78357fd79b7ac9f6a", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 87211, "scanner": "repobility-docker", "fingerprint": "b4a888b14b13ad8bbf9315ef3fc045f01cd6adbbd32e6b0e6ba1359d81b87eff", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "imhex_web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b4a888b14b13ad8bbf9315ef3fc045f01cd6adbbd32e6b0e6ba1359d81b87eff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/web/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 87210, "scanner": "repobility-docker", "fingerprint": "2abd026fa66fae8384e73227135c2556e158bc860e6f06404f16832129ff4448", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "imhex_web", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2abd026fa66fae8384e73227135c2556e158bc860e6f06404f16832129ff4448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/web/compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 87204, "scanner": "repobility-docker", "fingerprint": "6e3b661324af4b5dc1491b75610753c4ab2a0dac1d88eec1804da72fdecdafb3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6e3b661324af4b5dc1491b75610753c4ab2a0dac1d88eec1804da72fdecdafb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist/web/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 87200, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 87198, "scanner": "repobility-threat-engine", "fingerprint": "2d7664907f6cd1bc7a46f31a6009644c5023b2aa057bce7adc56fc28ef0e37ae", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"https://\" + setting + \".wikipedia.org/w/api.php?format=json&action=query&prop=extracts&explaintext&", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2d7664907f6cd1bc7a46f31a6009644c5023b2aa057bce7adc56fc28ef0e37ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/tools/wiki_explainer.cpp"}, "region": {"startLine": 20}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `msys2/setup-msys2@v2` is minor version(s) behind (latest v2.31.1)"}, "properties": {"repobilityId": 87185, "scanner": "repobility-dependency-currency", "fingerprint": "7572ef8f6967f8fb41d84a6a12635e9e6cfaf87a784bd7030a06c32c6aaeaead", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "msys2/setup-msys2", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v2.31.1", "correlation_key": "fp|7572ef8f6967f8fb41d84a6a12635e9e6cfaf87a784bd7030a06c32c6aaeaead", "current_version": "v2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `hendrikmuhs/ccache-action@v1` is minor version(s) behind (latest v1.2.23)"}, "properties": {"repobilityId": 87184, "scanner": "repobility-dependency-currency", "fingerprint": "b27eb1c156f475dea0cb858ca4fc64736037bbe9af52e5415427246eba9d5d5c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "hendrikmuhs/ccache-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v1.2.23", "correlation_key": "fp|b27eb1c156f475dea0cb858ca4fc64736037bbe9af52e5415427246eba9d5d5c", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 56}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `snapcore/action-publish@v1` is minor version(s) behind (latest v1.2.0)"}, "properties": {"repobilityId": 87182, "scanner": "repobility-dependency-currency", "fingerprint": "5a22ee08c88a549664720b7dd1a90ddffea9df38a104ae9a989648d72960ffc3", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "snapcore/action-publish", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v1.2.0", "correlation_key": "fp|5a22ee08c88a549664720b7dd1a90ddffea9df38a104ae9a989648d72960ffc3", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 268}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `ncipollo/release-action@v1` is minor version(s) behind (latest v1.21.0)"}, "properties": {"repobilityId": 87177, "scanner": "repobility-dependency-currency", "fingerprint": "c6c7b784633afaace6217521aeca2a393fc43404eb39601c47d5028b09a2c59c", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "ncipollo/release-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v1.21.0", "correlation_key": "fp|c6c7b784633afaace6217521aeca2a393fc43404eb39601c47d5028b09a2c59c", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `hendrikmuhs/ccache-action@v1` is minor version(s) behind (latest v1.2.23)"}, "properties": {"repobilityId": 87175, "scanner": "repobility-dependency-currency", "fingerprint": "7e37b6b399e1a4475f2d74d30c813865ccd6ce0d936cb25b9b11ea158e9a9ae9", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "hendrikmuhs/ccache-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v1.2.23", "correlation_key": "fp|7e37b6b399e1a4475f2d74d30c813865ccd6ce0d936cb25b9b11ea158e9a9ae9", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `snapcore/action-publish@v1` is minor version(s) behind (latest v1.2.0)"}, "properties": {"repobilityId": 87170, "scanner": "repobility-dependency-currency", "fingerprint": "ab49d432d85ad0b9cc03286de310efdef33dc04ff034910ae857e88014a8492d", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "snapcore/action-publish", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v1.2.0", "correlation_key": "fp|ab49d432d85ad0b9cc03286de310efdef33dc04ff034910ae857e88014a8492d", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly_release.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "DEPCUR-GHA", "level": "note", "message": {"text": "GitHub Action `hendrikmuhs/ccache-action@v1` is minor version(s) behind (latest v1.2.23)"}, "properties": {"repobilityId": 87165, "scanner": "repobility-dependency-currency", "fingerprint": "074d80f115c87c9f3663af7c64c774744dc89cbe58919290ec8fc4dc8f420916", "category": "dependency", "severity": "low", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "minor version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "hendrikmuhs/ccache-action", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v1.2.23", "correlation_key": "fp|074d80f115c87c9f3663af7c64c774744dc89cbe58919290ec8fc4dc8f420916", "current_version": "v1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87131, "scanner": "repobility-ai-code-hygiene", "fingerprint": "10f27b347c4644ae7346e9cedfafcce12fded3bb58a10a12c6faf08b8a4ca1d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/disassembler/source/content/disassemblers/capstone_architectures.cpp", "duplicate_line": 35, "correlation_key": "fp|10f27b347c4644ae7346e9cedfafcce12fded3bb58a10a12c6faf08b8a4ca1d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ui/source/ui/widgets.cpp"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87130, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c85c0050fdbdf378658897a32da4f11f916ca842dced29df51226ce52372221c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/ui/include/ui/pattern_drawer.hpp", "duplicate_line": 34, "correlation_key": "fp|c85c0050fdbdf378658897a32da4f11f916ca842dced29df51226ce52372221c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ui/include/ui/pattern_value_editor.hpp"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87129, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e3c5c3ff8a23764533120854b4b2feca976d4e1ba378f0eea84928707a90fd4b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/script_loader/support/c/source/script_api/v1/ui.cpp", "duplicate_line": 23, "correlation_key": "fp|e3c5c3ff8a23764533120854b4b2feca976d4e1ba378f0eea84928707a90fd4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ui/include/popups/popup_text_input.hpp"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87128, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5eacc8e082505927f9af103f75e0cf16ddeecbecfe5054abe62ecd1d1ed3b2d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/script_loader/support/c/source/script_api/v1/ui.cpp", "duplicate_line": 23, "correlation_key": "fp|5eacc8e082505927f9af103f75e0cf16ddeecbecfe5054abe62ecd1d1ed3b2d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ui/include/popups/popup_question.hpp"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87127, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c3f6708e5e40f41d1dc5d625b2ae174b82f4f2d56b8e4844489417960eae6d3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/script_loader/support/c/source/script_api/v1/ui.cpp", "duplicate_line": 26, "correlation_key": "fp|6c3f6708e5e40f41d1dc5d625b2ae174b82f4f2d56b8e4844489417960eae6d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/ui/include/popups/popup_notification.hpp"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87126, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac3095e7ccbbc5569eccfa9f77fde3e97f387ad29f33bd3ebcdc579c05cb2685", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/builtin/source/content/pl_builtin_types.cpp", "duplicate_line": 8, "correlation_key": "fp|ac3095e7ccbbc5569eccfa9f77fde3e97f387ad29f33bd3ebcdc579c05cb2685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/disassembler/source/content/pl_builtin_types.cpp"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87125, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dda635bcf35af03416500c572dc2438d331c5b2f507db67c10306f86fc4d2735", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/builtin/source/content/views/fullscreen/view_fullscreen_save_editor.cpp", "duplicate_line": 91, "correlation_key": "fp|dda635bcf35af03416500c572dc2438d331c5b2f507db67c10306f86fc4d2735"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/views/view_pattern_data.cpp"}, "region": {"startLine": 228}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87124, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b31c387817c20a59139104ca5a5e9e800b542fc1cafedb943cb625e225d13589", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "plugins/builtin/source/content/providers/intel_hex_provider.cpp", "duplicate_line": 30, "correlation_key": "fp|b31c387817c20a59139104ca5a5e9e800b542fc1cafedb943cb625e225d13589"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/providers/motorola_srec_provider.cpp"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87123, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4072ddc5c5a5451248cde2c9c5ff89cec9e96824c4f303b4c19c3c6f2016953d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "main/gui/source/window/platform/linux.cpp", "duplicate_line": 92, "correlation_key": "fp|4072ddc5c5a5451248cde2c9c5ff89cec9e96824c4f303b4c19c3c6f2016953d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "main/gui/source/window/platform/web.cpp"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC007", "level": "note", "message": {"text": "Generated build artifact directory is present at repository root"}, "properties": {"repobilityId": 87122, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6069b1ec53cf974ec6e25b94b13d24116a19565dae3d82ce5bcc320c773215fd", "category": "quality", "severity": "low", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains a common generated artifact directory.", "evidence": {"rule_id": "AIC007", "scanner": "repobility-ai-code-hygiene", "directory": "dist", "references": ["https://git-scm.com/docs/gitignore", "https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|6069b1ec53cf974ec6e25b94b13d24116a19565dae3d82ce5bcc320c773215fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dist"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 87195, "scanner": "repobility-threat-engine", "fingerprint": "2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2cd220107759c389357ea1e0b2a749255d62455820f15b6cc9e05e77d2c17c58"}}}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 87190, "scanner": "repobility-threat-engine", "fingerprint": "c108911d40c050cad1fdb641075855a7f39f43e896760230be9d46626eb52d81", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c108911d40c050cad1fdb641075855a7f39f43e896760230be9d46626eb52d81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/disassembler/source/content/pl_builtin_types.cpp"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 87189, "scanner": "repobility-threat-engine", "fingerprint": "6dfc0dd0c965cb8334b54368ce0dcac150ad5d6892a2b78af5487f2306508299", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6dfc0dd0c965cb8334b54368ce0dcac150ad5d6892a2b78af5487f2306508299"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/data_formatters.cpp"}, "region": {"startLine": 86}}}]}, {"ruleId": "DEPCUR-GHA", "level": "none", "message": {"text": "GitHub Action `peter-evans/repository-dispatch@v4` is patch version(s) behind (latest v4.0.1)"}, "properties": {"repobilityId": 87171, "scanner": "repobility-dependency-currency", "fingerprint": "10a99247331397369cb01a35d215082b1ae4749ba1d18b30ff6286332ab2c914", "category": "dependency", "severity": "info", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"gap": "patch version(s) behind", "signal": "currency", "cwe_ids": ["CWE-1104"], "package": "peter-evans/repository-dispatch", "scanner": "repobility-dependency-currency", "ecosystem": "github-actions", "languages": ["yaml"], "latest_version": "v4.0.1", "correlation_key": "fp|10a99247331397369cb01a35d215082b1ae4749ba1d18b30ff6286332ab2c914", "current_version": "v4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly_release.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87197, "scanner": "repobility-threat-engine", "fingerprint": "3efdf05f3411952bd25c28b18b4df47ab84bc0782536a1f4557e8d24000497f9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(g", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3efdf05f3411952bd25c28b18b4df47ab84bc0782536a1f4557e8d24000497f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/tools/wiki_explainer.cpp"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87196, "scanner": "repobility-threat-engine", "fingerprint": "7828f8554896d88836ad6791fca1b5791f0436403ca6a88990e64596029074e4", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7828f8554896d88836ad6791fca1b5791f0436403ca6a88990e64596029074e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/tools/http_requests.cpp"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87194, "scanner": "repobility-threat-engine", "fingerprint": "c7e2a07b396456f3e5864d4f62375109cdb8149e1b07a055240e73476b66d54b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "task.update(progress);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c7e2a07b396456f3e5864d4f62375109cdb8149e1b07a055240e73476b66d54b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/views/view_information.cpp"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87193, "scanner": "repobility-threat-engine", "fingerprint": "41b9a2730e5dca53313a09c74ab6a3c5482e3c78dec81ed6f5fda0bbae672466", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "task.update(offset);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41b9a2730e5dca53313a09c74ab6a3c5482e3c78dec81ed6f5fda0bbae672466"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/tools/file_tool_splitter.cpp"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87192, "scanner": "repobility-threat-engine", "fingerprint": "8098d0fd38294880a344bd245dcc79bb7df3648dc9ba35474751d7bad49ddef2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "task.update(offset);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8098d0fd38294880a344bd245dcc79bb7df3648dc9ba35474751d7bad49ddef2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/tools/file_tool_shredder.cpp"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 87191, "scanner": "repobility-threat-engine", "fingerprint": "9341f256c9e3194adaf1f24603046078bdaa7ebb310f7206d6c272f553289217", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(fmt::format(\"hex.builtin.tools.file_tools.combiner.open_input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|128|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "plugins/builtin/source/content/tools/file_tool_combiner.cpp"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `almalinux:10` unpinned"}, "properties": {"repobilityId": 87163, "scanner": "repobility-supply-chain", "fingerprint": "cde4b7b8f3b914c74e972b38fa4c7f5f86ed1f7a6ebbeff14d17a9ee85ffdd78", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cde4b7b8f3b914c74e972b38fa4c7f5f86ed1f7a6ebbeff14d17a9ee85ffdd78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 940}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `archlinux:base-devel` unpinned"}, "properties": {"repobilityId": 87162, "scanner": "repobility-supply-chain", "fingerprint": "0777e2bc16b3fc67097cf778ed75af7eb3d66c82b8d48b46fa5f5ba6ce28cc77", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0777e2bc16b3fc67097cf778ed75af7eb3d66c82b8d48b46fa5f5ba6ce28cc77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 821}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `debian:13` unpinned"}, "properties": {"repobilityId": 87161, "scanner": "repobility-supply-chain", "fingerprint": "bfd2d49a655c50ebf725b5320cc1f94272f5343ca100e978b8338bed94022423", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfd2d49a655c50ebf725b5320cc1f94272f5343ca100e978b8338bed94022423"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 658}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `ubuntu:25.10` unpinned"}, "properties": {"repobilityId": 87160, "scanner": "repobility-supply-chain", "fingerprint": "1e5d06a3e955f8a98e3602c6bf716a200f213892ac15de06d84e1df269f85c3e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1e5d06a3e955f8a98e3602c6bf716a200f213892ac15de06d84e1df269f85c3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 655}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `ubuntu:24.04` unpinned"}, "properties": {"repobilityId": 87159, "scanner": "repobility-supply-chain", "fingerprint": "b041077d2a114f13ed3a0f3c16a8e9e30e57363f9a37483a42acc33035b44e88", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b041077d2a114f13ed3a0f3c16a8e9e30e57363f9a37483a42acc33035b44e88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/build.yml"}, "region": {"startLine": 652}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87158, "scanner": "repobility-supply-chain", "fingerprint": "d9c915ce34cdc6fecd31e0f2884dfccf2e276cc6f0d83203ed39ba902c20147e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d9c915ce34cdc6fecd31e0f2884dfccf2e276cc6f0d83203ed39ba902c20147e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87157, "scanner": "repobility-supply-chain", "fingerprint": "922cf670fb7c64819da88dbe0bbc3427ded925872d783fa5670bb41e66c48f3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|922cf670fb7c64819da88dbe0bbc3427ded925872d783fa5670bb41e66c48f3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dawidd6/action-download-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 87156, "scanner": "repobility-supply-chain", "fingerprint": "3121eb989ccffee97ba99d9136d6f465c3cd9663574c4da4e8ccb670646c7c2a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3121eb989ccffee97ba99d9136d6f465c3cd9663574c4da4e8ccb670646c7c2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87155, "scanner": "repobility-supply-chain", "fingerprint": "146a03e6b833083cc20d062af2a4dcc78d4e95d5e3b85309ced2eebcf3a41ee3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|146a03e6b833083cc20d062af2a4dcc78d4e95d5e3b85309ced2eebcf3a41ee3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ncipollo/release-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 87154, "scanner": "repobility-supply-chain", "fingerprint": "45217702c2e6c9566dca06938705da0c80bb71f4f61d939cd7797857d0032adf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|45217702c2e6c9566dca06938705da0c80bb71f4f61d939cd7797857d0032adf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ncipollo/release-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 87153, "scanner": "repobility-supply-chain", "fingerprint": "04a9056a6c4fd7eb41a76c7547e94ebc46fe7e195503175f601438476ba75172", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|04a9056a6c4fd7eb41a76c7547e94ebc46fe7e195503175f601438476ba75172"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `ncipollo/release-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 87152, "scanner": "repobility-supply-chain", "fingerprint": "fc5fa6088bc14a1b5636eacab970bf8430f8e03b137c8e7923908bf33755ef2c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc5fa6088bc14a1b5636eacab970bf8430f8e03b137c8e7923908bf33755ef2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87151, "scanner": "repobility-supply-chain", "fingerprint": "986485b9a4b0fdea0bffd9dec9d89bbacc6214e64309bed4f2212b4f2219642a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|986485b9a4b0fdea0bffd9dec9d89bbacc6214e64309bed4f2212b4f2219642a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87148, "scanner": "repobility-supply-chain", "fingerprint": "4abff7fe7fd862a1cfe2a340726ae7493f93005397aa2244d64a47741ccdc378", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4abff7fe7fd862a1cfe2a340726ae7493f93005397aa2244d64a47741ccdc378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `hendrikmuhs/ccache-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 87147, "scanner": "repobility-supply-chain", "fingerprint": "250711d921b7ee85db6e66e3cb2de16b7d7fe92e6627f7b2cc1f88a20bdd05e9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|250711d921b7ee85db6e66e3cb2de16b7d7fe92e6627f7b2cc1f88a20bdd05e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87146, "scanner": "repobility-supply-chain", "fingerprint": "573b6e0c84cba35402ec31d715fdf4859a861058fb074da8a88dff1f8f9584ea", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|573b6e0c84cba35402ec31d715fdf4859a861058fb074da8a88dff1f8f9584ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87145, "scanner": "repobility-supply-chain", "fingerprint": "8389a83e33aac0500b6e8d6aca189286ccb1e27913fe2a3ede10cba63874ec8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8389a83e33aac0500b6e8d6aca189286ccb1e27913fe2a3ede10cba63874ec8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dl-cache.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `iTrooz/cache/restore` pinned to mutable ref `@restore_with_version`"}, "properties": {"repobilityId": 87144, "scanner": "repobility-supply-chain", "fingerprint": "b6980ee3faa5327ae020da1295d35f09e2b3df533871d835e94b7bd238b07663", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b6980ee3faa5327ae020da1295d35f09e2b3df533871d835e94b7bd238b07663"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dl-cache.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87143, "scanner": "repobility-supply-chain", "fingerprint": "1ecb58d82acde3c6c9d5627befef72c5f68241bef6bab8e3c0806dc82026f211", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ecb58d82acde3c6c9d5627befef72c5f68241bef6bab8e3c0806dc82026f211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dl-cache.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `peter-evans/repository-dispatch` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87142, "scanner": "repobility-supply-chain", "fingerprint": "b813f2fa0c7ff95d9c8a76cfde3d65e8457a701bb4bba902e8915db4b4bcc52b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b813f2fa0c7ff95d9c8a76cfde3d65e8457a701bb4bba902e8915db4b4bcc52b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly_release.yml"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `snapcore/action-publish` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 87141, "scanner": "repobility-supply-chain", "fingerprint": "19f8408ca664cc67e09a776f73fac039cb39337c20bd7204a4ec468bdd33eceb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|19f8408ca664cc67e09a776f73fac039cb39337c20bd7204a4ec468bdd33eceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly_release.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `snapcore/action-publish` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 87140, "scanner": "repobility-supply-chain", "fingerprint": "aeea5cc244e23ef8f08e3b049dc0e7eee4948051f2ec6d7d8da10f94c88f2958", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aeea5cc244e23ef8f08e3b049dc0e7eee4948051f2ec6d7d8da10f94c88f2958"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly_release.yml"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dawidd6/action-download-artifact` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 87139, "scanner": "repobility-supply-chain", "fingerprint": "f9372a3a1792467eac261a235ef2c632844c4e62091e2f7a19cd9ce24560429f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f9372a3a1792467eac261a235ef2c632844c4e62091e2f7a19cd9ce24560429f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly_release.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87138, "scanner": "repobility-supply-chain", "fingerprint": "7476eab879766a8e507b8dc6e9e39f06c2f0c2f7bcc148d36a201c3ba9acb0f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7476eab879766a8e507b8dc6e9e39f06c2f0c2f7bcc148d36a201c3ba9acb0f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly_release.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/stale` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 87137, "scanner": "repobility-supply-chain", "fingerprint": "a833e57560d7cdfb0b6688bdd1b0beb5b27fa312e4bfd9ae5432bd7c9f6290f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a833e57560d7cdfb0b6688bdd1b0beb5b27fa312e4bfd9ae5432bd7c9f6290f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale_issues.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/analyze` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 87136, "scanner": "repobility-supply-chain", "fingerprint": "c8db4ecf0872157b3666cb872e5ec63764e50afc44e1a6b28f8c619659c9361a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8db4ecf0872157b3666cb872e5ec63764e50afc44e1a6b28f8c619659c9361a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/cache` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87135, "scanner": "repobility-supply-chain", "fingerprint": "0b8cc73586d8c85ba2f918da70ecc3fbcaeca353ac24448566664520387df6fa", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b8cc73586d8c85ba2f918da70ecc3fbcaeca353ac24448566664520387df6fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `hendrikmuhs/ccache-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 87134, "scanner": "repobility-supply-chain", "fingerprint": "931783781afebffc47d9c01265070bef7f1d1277d2ba9308c9b1a7c18b556126", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|931783781afebffc47d9c01265070bef7f1d1277d2ba9308c9b1a7c18b556126"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `github/codeql-action/init` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 87133, "scanner": "repobility-supply-chain", "fingerprint": "851d57c1e8640ae096971cd44599009f7ca3b6fff80fce0b9a33c2c8cc30cf60", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|851d57c1e8640ae096971cd44599009f7ca3b6fff80fce0b9a33c2c8cc30cf60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 87132, "scanner": "repobility-supply-chain", "fingerprint": "ad03c0cee61028b51bbd43e8742c870272202eea3b90a037fa04fe92136a3748", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ad03c0cee61028b51bbd43e8742c870272202eea3b90a037fa04fe92136a3748"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 87213, "scanner": "gitleaks", "fingerprint": "396bf26060ad658905e93cca60ad5dbcada19fc13f913494473ddb0745bac214", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key >= REDACTED", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|450|key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/third_party/imgui/imgui/source/imgui.cpp"}, "region": {"startLine": 4507}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 87212, "scanner": "gitleaks", "fingerprint": "b0dc3c2c8f5658b1378021cf47eace3ce17ced9708c6d3e336418584c998d60d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token=<redacted>\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|1|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "lib/third_party/imgui/imnodes/README.md"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 87150, "scanner": "repobility-supply-chain", "fingerprint": "b3406e4de05fbd50c72114925463f578de5345fa262cf0683e49109213be4497", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b3406e4de05fbd50c72114925463f578de5345fa262cf0683e49109213be4497"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 87149, "scanner": "repobility-supply-chain", "fingerprint": "0dc40093fcebaf3dde9790218636e63d98b3d081b764286f8a8077c1b8804711", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0dc40093fcebaf3dde9790218636e63d98b3d081b764286f8a8077c1b8804711"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 84}}}]}]}]}