{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC005", "name": "Duplicate top-level symbol appears in a patch-style file", "shortDescription": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "fullDescription": {"text": "Keep one authoritative implementation, update imports to point at it, and remove or rename the duplicate symbol."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers (and 5 more): Same pattern found in 5 additional files. Review ", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 159 more): Same pattern found in 159 ad", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 159 more): Same pattern found in 159 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC033", "name": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without fil", "shortDescription": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting ever"}, "fullDescription": {"text": "Sanitize keys BEFORE merge:\n  function sanitize(obj) {\n    delete obj.__proto__;\n    delete obj.constructor;\n    delete obj.prototype;\n    return obj;\n  }\nOr use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/488"}, "properties": {"repository": "TryGhost/Ghost", "repoUrl": "https://github.com/TryGhost/Ghost.git", "branch": "main"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 28555, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 28554, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 28553, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 28548, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 28547, "scanner": "repobility-docker", "fingerprint": "e72f8558fa045008b7623daa0d3549d05f28f81c46a93eec38007ebd5fdae3c3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "$GHOST_IMAGE", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e72f8558fa045008b7623daa0d3549d05f28f81c46a93eec38007ebd5fdae3c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile.e2e"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 28545, "scanner": "repobility-docker", "fingerprint": "19b16a3dde11dc7f46d962624fd8dbb6d48d704c8ae69fe17e0e3b75bbc54b80", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "python:3.13-slim@sha256:eefe082c4b73082d83b8e7705ed999bc8a1dae57fe1ea723f907a0fc4b90f088", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|19b16a3dde11dc7f46d962624fd8dbb6d48d704c8ae69fe17e0e3b75bbc54b80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/tb-cli/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 28544, "scanner": "repobility-docker", "fingerprint": "1b11e364bbedbf5c8dbfd152239a9b2da8a8ffeef32fa80445878e1234ed1a5b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:$NODE_VERSION-bullseye-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1b11e364bbedbf5c8dbfd152239a9b2da8a8ffeef32fa80445878e1234ed1a5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ghost-dev/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 28541, "scanner": "repobility-docker", "fingerprint": "67211d95c451d5b3d7e6163c21dadd7678050671bae052ecf74c012d0187b573", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "caddy:2-alpine@sha256:fce4f15aad23222c0ac78a1220adf63bae7b94355d5ea28eee53910624acedfa", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|67211d95c451d5b3d7e6163c21dadd7678050671bae052ecf74c012d0187b573"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/dev-gateway/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 28539, "scanner": "repobility-docker", "fingerprint": "16ccf40940eeb9d380200ec99880f403ec7cc2cfd0d44ad0c83b424d52326b25", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 28 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 28, "correlation_key": "fp|16ccf40940eeb9d380200ec99880f403ec7cc2cfd0d44ad0c83b424d52326b25", "dependency_install_line": 32}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.production"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 28538, "scanner": "repobility-docker", "fingerprint": "9ef09920b6b277e9836a2c05b60d24f72eda29def396c33fce5011462ec7fd20", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|9ef09920b6b277e9836a2c05b60d24f72eda29def396c33fce5011462ec7fd20", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.production"}, "region": {"startLine": 28}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 28510, "scanner": "repobility-threat-engine", "fingerprint": "a9d88b0802b5f977a3685fcafd50a2b7592343ac4889fe4079286d3ebca95116", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a9d88b0802b5f977a3685fcafd50a2b7592343ac4889fe4079286d3ebca95116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ghost/admin/app/components/gh-billing-iframe.js"}, "region": {"startLine": 131}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28506, "scanner": "repobility-threat-engine", "fingerprint": "b10540acab557ad2fbfc90b6266bfbbfa18bcf8fbd38f6396e7c569a87454a93", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "Math.random()", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|2694|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/shade/src/components/patterns/filters.tsx"}, "region": {"startLine": 2694}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 28552, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 28551, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 28550, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 28549, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 28543, "scanner": "repobility-docker", "fingerprint": "624b97aec12adc4140607eb6df196ab22f968bdf4f48aba13d77131b52ab1499", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|624b97aec12adc4140607eb6df196ab22f968bdf4f48aba13d77131b52ab1499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ghost-dev/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 28540, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC005", "level": "note", "message": {"text": "Duplicate top-level symbol appears in a patch-style file"}, "properties": {"repobilityId": 28536, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c70ef6ec5c820c9b0d38c271d3753e43843c3696aabb3be7df512e5d2f9ee0a", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Patch-style file defines a top-level symbol also defined in another source file.", "evidence": {"symbol": "CtrlOrCmd", "rule_id": "AIC005", "scanner": "repobility-ai-code-hygiene", "references": ["https://github.com/jendrikseipp/vulture", "https://knip.dev/"], "duplicate_file": "ghost/admin/app/components/gh-post-settings-menu/ctrl-or-cmd.js", "correlation_key": "fp|7c70ef6ec5c820c9b0d38c271d3753e43843c3696aabb3be7df512e5d2f9ee0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ghost/admin/app/components/gh-post-settings-menu/option-or-alt.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28535, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fb594a21f896a6008fa82e02c5e5cb3254f1fa3c5ed25b671f7c6969419b9c01", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin-x-settings/src/components/settings/email-design/design-fields/button-color-field.tsx", "duplicate_line": 5, "correlation_key": "fp|fb594a21f896a6008fa82e02c5e5cb3254f1fa3c5ed25b671f7c6969419b9c01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-settings/src/components/settings/email-design/design-fields/link-color-field.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28534, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9b94cced637ce6d52529a9d2922402fdf56bc074a8df5972f612e346b660511d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin-x-settings/src/components/settings/email-design/design-fields/body-font-field.tsx", "duplicate_line": 10, "correlation_key": "fp|9b94cced637ce6d52529a9d2922402fdf56bc074a8df5972f612e346b660511d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-settings/src/components/settings/email-design/design-fields/heading-font-field.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28533, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e5f6272cf53f66f44618ad7d47ad0b02890778d95641eacbaeb266658cfb27be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin-x-settings/src/components/settings/advanced/labs/migration-options.tsx", "duplicate_line": 14, "correlation_key": "fp|e5f6272cf53f66f44618ad7d47ad0b02890778d95641eacbaeb266658cfb27be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-settings/src/components/settings/advanced/migration-tools/universal-import-modal.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28532, "scanner": "repobility-ai-code-hygiene", "fingerprint": "55dbb7c91cc58c7d6e36c5d6a1ab71bd9503fd2e6cc59cbc9edaadab060f6872", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin-x-settings/src/components/settings/advanced/integrations/transistor-modal.tsx", "duplicate_line": 44, "correlation_key": "fp|55dbb7c91cc58c7d6e36c5d6a1ab71bd9503fd2e6cc59cbc9edaadab060f6872"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-settings/src/components/settings/advanced/integrations/zapier-modal.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28531, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee87184f1ec1d36284b11cf48c6cadfe4248413c308f113f49fdaff934c8a098", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin-x-settings/src/components/settings/advanced/integrations/pintura-modal.tsx", "duplicate_line": 30, "correlation_key": "fp|ee87184f1ec1d36284b11cf48c6cadfe4248413c308f113f49fdaff934c8a098"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-settings/src/components/settings/advanced/integrations/unsplash-modal.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28530, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5628e81ed24c6873333bec185fdf45babcca2dfdca762be92f91b579ea00471b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin-x-settings/src/components/settings/advanced/integrations/first-promoter-modal.tsx", "duplicate_line": 32, "correlation_key": "fp|5628e81ed24c6873333bec185fdf45babcca2dfdca762be92f91b579ea00471b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-settings/src/components/settings/advanced/integrations/transistor-modal.tsx"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28529, "scanner": "repobility-ai-code-hygiene", "fingerprint": "df2336f7ea59602165e4f1a79667fa32c27c4f5d57f45c3cc81a54d235a4bbca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin-x-design-system/vite.config.ts", "duplicate_line": 33, "correlation_key": "fp|df2336f7ea59602165e4f1a79667fa32c27c4f5d57f45c3cc81a54d235a4bbca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-framework/vite.config.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28528, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3940b10d82f6fb6731d2eb069ec40d80176568168971a91f12ae5db7d094e548", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin-x-design-system/vite.config.ts", "duplicate_line": 49, "correlation_key": "fp|3940b10d82f6fb6731d2eb069ec40d80176568168971a91f12ae5db7d094e548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-framework/src/vite.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28527, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4195c3654ae2c997f2f11174b5f69e184c49f640a533fcb4975fc3bc947a6c8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/admin-x-design-system/src/global/modal/modal.tsx", "duplicate_line": 120, "correlation_key": "fp|f4195c3654ae2c997f2f11174b5f69e184c49f640a533fcb4975fc3bc947a6c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-design-system/src/global/modal/preview-modal.tsx"}, "region": {"startLine": 98}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28526, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7218765965e465f5d8c3ec809c1b02a88517b7835029184d434ca8378a83258f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/views/preferences/components/profile.tsx", "duplicate_line": 57, "correlation_key": "fp|7218765965e465f5d8c3ec809c1b02a88517b7835029184d434ca8378a83258f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/profile/components/profile-page.tsx"}, "region": {"startLine": 90}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28525, "scanner": "repobility-ai-code-hygiene", "fingerprint": "469874fe795543e8f657f451ec39bc2fc87f67aec3dd342d843ba0c96676136a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/views/feed/components/feed-list.tsx", "duplicate_line": 34, "correlation_key": "fp|469874fe795543e8f657f451ec39bc2fc87f67aec3dd342d843ba0c96676136a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/profile/components/posts.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28524, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6d71698762afff9bb57b7e5c0ef999095711676b3b5af0c6dacba67dddcd560e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/views/profile/components/likes.tsx", "duplicate_line": 20, "correlation_key": "fp|6d71698762afff9bb57b7e5c0ef999095711676b3b5af0c6dacba67dddcd560e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/profile/components/posts.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28523, "scanner": "repobility-ai-code-hygiene", "fingerprint": "132b5639c22ddb078ae9bec854bd7b2dcdfdd23ff5f608271e4463eccf593115", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/views/feed/components/feed-list.tsx", "duplicate_line": 34, "correlation_key": "fp|132b5639c22ddb078ae9bec854bd7b2dcdfdd23ff5f608271e4463eccf593115"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/profile/components/likes.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28522, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f3ab40429605f66cf0721fd08c254951b2b374fccc869ae7ffb43e3dd587aa4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/views/feed/components/feed-list.tsx", "duplicate_line": 34, "correlation_key": "fp|7f3ab40429605f66cf0721fd08c254951b2b374fccc869ae7ffb43e3dd587aa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/profile/components/actor-list.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28521, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8104131891c9fa39b2fbbc0822bf99dca9e7be571d5662ca913721f6f2680194", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/views/notifications/notifications.tsx", "duplicate_line": 185, "correlation_key": "fp|8104131891c9fa39b2fbbc0822bf99dca9e7be571d5662ca913721f6f2680194"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/profile/components/actor-list.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28520, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6d189a16feb9cf92dbda5f3e80792c72d427a04fef5fd7800e6c425a00e15e9c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/components/modals/new-note-modal.tsx", "duplicate_line": 170, "correlation_key": "fp|6d189a16feb9cf92dbda5f3e80792c72d427a04fef5fd7800e6c425a00e15e9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/preferences/components/edit-profile.tsx"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28519, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d7e529c1e770e0d204000b593306fc25384e27a7ed61c0e810dfb03a5ea4bf0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/views/feed/components/feed-list.tsx", "duplicate_line": 34, "correlation_key": "fp|d7e529c1e770e0d204000b593306fc25384e27a7ed61c0e810dfb03a5ea4bf0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/notifications/notifications.tsx"}, "region": {"startLine": 187}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28518, "scanner": "repobility-ai-code-hygiene", "fingerprint": "59365c3947b90a5d82a3e26e31444326c644b2ceeceb64d9ff5bec434d43c9cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/components/feed/feed-item.tsx", "duplicate_line": 283, "correlation_key": "fp|59365c3947b90a5d82a3e26e31444326c644b2ceeceb64d9ff5bec434d43c9cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/notifications/notifications.tsx"}, "region": {"startLine": 143}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28517, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fced03859ee6ab3e825beeac8646ffd91902491f0a66a935444f9a591ef0152e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/views/feed/note.tsx", "duplicate_line": 62, "correlation_key": "fp|fced03859ee6ab3e825beeac8646ffd91902491f0a66a935444f9a591ef0152e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/inbox/components/reader.tsx"}, "region": {"startLine": 396}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28516, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39f4764607085ffc71c5f4965e4ee44fa8dcf10af878d4f2faf46dd7e1b8496a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/views/feed/components/feed-list.tsx", "duplicate_line": 31, "correlation_key": "fp|39f4764607085ffc71c5f4965e4ee44fa8dcf10af878d4f2faf46dd7e1b8496a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/inbox/components/inbox-list.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28515, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bbcf85692d78abfc3327176fd08aeca19b41a38bdc87292a25ad392642fbe47b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/components/global/suggested-profiles.tsx", "duplicate_line": 18, "correlation_key": "fp|bbcf85692d78abfc3327176fd08aeca19b41a38bdc87292a25ad392642fbe47b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/explore/explore.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28514, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d6591531a2ea3610cced8ac40ad460e06b043085d217f37017c63bdab8f59813", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/utils/pending-activity.ts", "duplicate_line": 15, "correlation_key": "fp|d6591531a2ea3610cced8ac40ad460e06b043085d217f37017c63bdab8f59813"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/utils/posts.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 28513, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d7b9d6eccf02f0e1f63ba853d7b42fc525d5113a37c1b117cbd6d7cc55ecd0cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/activitypub/src/components/feed/feed-item.tsx", "duplicate_line": 251, "correlation_key": "fp|d7b9d6eccf02f0e1f63ba853d7b42fc525d5113a37c1b117cbd6d7cc55ecd0cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/components/global/ap-avatar.tsx"}, "region": {"startLine": 69}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 28512, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d59120fa652019d7b7ab312e5bafa3d220752d68f6158f409a297f3e3442f289", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "new", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|d59120fa652019d7b7ab312e5bafa3d220752d68f6158f409a297f3e3442f289"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin/src/whats-new/hooks/use-whats-new.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 28499, "scanner": "repobility-threat-engine", "fingerprint": "6f3a1d816c4cfd88ecb8ca1ced9c0764be2752403c7105e43341f8ac703b46eb", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = t", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|15|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/preferences/components/edit-profile.tsx"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 28498, "scanner": "repobility-threat-engine", "fingerprint": "e13c3f5bf2ea2dab9c657087063183b9ea8b4f054e45ad85cc8ebcfe9cfde750", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = c", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|84|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/utils/content-formatters.ts"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 28546, "scanner": "repobility-docker", "fingerprint": "0477c845f2f46ce443fa98d4a546a8aad987857a45938da471ad077cf73bfbcb", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$GHOST_IMAGE", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|0477c845f2f46ce443fa98d4a546a8aad987857a45938da471ad077cf73bfbcb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/Dockerfile.e2e"}, "region": {"startLine": 12}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 28542, "scanner": "repobility-docker", "fingerprint": "9377b9b232dd059bda71e6f9798e3cc4ed6a8a2172e222884b5e3380398b5e50", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:$NODE_VERSION-bullseye-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|9377b9b232dd059bda71e6f9798e3cc4ed6a8a2172e222884b5e3380398b5e50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/ghost-dev/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 28537, "scanner": "repobility-docker", "fingerprint": "145205c3cf205fdf8d8ad5be55a0b708c65847b19d07153eddf652d537ead7fb", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:$NODE_VERSION-bookworm-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|145205c3cf205fdf8d8ad5be55a0b708c65847b19d07153eddf652d537ead7fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.production"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 28509, "scanner": "repobility-threat-engine", "fingerprint": "952a859e39814203fe507e04b33b6f8be8af1a17dd026350cc6611ad25affc6f", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|952a859e39814203fe507e04b33b6f8be8af1a17dd026350cc6611ad25affc6f"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28508, "scanner": "repobility-threat-engine", "fingerprint": "3b6a80d485bb8fb1946bc91b740fc8ae3ef9d63ff19dfe6f4149521681bee945", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|60|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/posts/src/hooks/use-filter-params.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 28507, "scanner": "repobility-threat-engine", "fingerprint": "ccd81ef52f879ccf400bc99c7a59fc5790b49c4715d4f64dbbb7a9283b83d593", "category": "crypto", "severity": "info", "confidence": 0.25, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "evidence": {"match": "Math.random()", "reason": "Weak PRNG appears to be used for non-security behavior (UI, sampling, demos, shuffling, or backoff), not for secrets", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.25, "correlation_key": "code|crypto|token|12|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/portal/src/utils/fixtures-generator.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC027", "level": "none", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 28505, "scanner": "repobility-threat-engine", "fingerprint": "b18c1638d202067d9cb835d731c822dfd301c90d5b3037c06c6cb477a962bf70", "category": "xxe", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b18c1638d202067d9cb835d731c822dfd301c90d5b3037c06c6cb477a962bf70"}}}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 28500, "scanner": "repobility-threat-engine", "fingerprint": "7c75117ed4a51d3db3b5cdbe93d52bccd27daa09a6d72c5ad9b6e7d62270fdb4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7c75117ed4a51d3db3b5cdbe93d52bccd27daa09a6d72c5ad9b6e7d62270fdb4"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 159 more): Same pattern found in 159 additional files. Review if needed."}, "properties": {"repobilityId": 28496, "scanner": "repobility-threat-engine", "fingerprint": "f3b1243ab0f78410a7ffee1a68c2a3c2499554eadb8b7e1771b3cec04fbebc3b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 159 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 159 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f3b1243ab0f78410a7ffee1a68c2a3c2499554eadb8b7e1771b3cec04fbebc3b"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 28492, "scanner": "repobility-threat-engine", "fingerprint": "0ad6ce3724a9a7509f3164a93594c56642d404dbee3e2938c3fc957bfd36e584", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.warn('Tinybird analytics: No valid token received. Check your Tinybird configuration (worksp", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|2|console.warn tinybird analytics: no valid token received. check your tinybird configuration worksp"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-framework/src/hooks/use-tinybird-token.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 28491, "scanner": "repobility-threat-engine", "fingerprint": "0992228b87ef2fcd24c894803cc309b8244ef333100b97965de4af8baa6a8a02", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`\ud83d\udcdd Loaded ${renovateConfig.ignoreDeps.length} ignored dependencies from renovate.json`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|. token|10|console.log loaded token ignored dependencies from renovate.json"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/dependency-inspector.js"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 28511, "scanner": "repobility-threat-engine", "fingerprint": "f32f68e3929e89a2d8a6b5e6149b69b3a8d270f799def12bc9794d16666f6e2e", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_.defaultsDeep(query, query", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f32f68e3929e89a2d8a6b5e6149b69b3a8d270f799def12bc9794d16666f6e2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ghost/core/core/frontend/services/data/fetch-data.js"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 28504, "scanner": "repobility-threat-engine", "fingerprint": "76dac01e12c9a9f308b31be347490ce6f9b09e92cf72569b703e782f123f3767", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|76dac01e12c9a9f308b31be347490ce6f9b09e92cf72569b703e782f123f3767"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-settings/src/components/settings/site/announcement-bar/announcement-bar-preview.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 28503, "scanner": "repobility-threat-engine", "fingerprint": "83e583adffda3231e2590c55254ea52412641e66a9a8da8522ba68b560d23c88", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|83e583adffda3231e2590c55254ea52412641e66a9a8da8522ba68b560d23c88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-settings/src/components/settings/membership/member-emails/use-welcome-email-preview.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 28502, "scanner": "repobility-threat-engine", "fingerprint": "383f84aad34fa74f841c80d1263b825bf7d15aad5a12bad50699ff2c599809b1", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|383f84aad34fa74f841c80d1263b825bf7d15aad5a12bad50699ff2c599809b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/admin-x-design-system/src/global/form/html-editor.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 28501, "scanner": "repobility-threat-engine", "fingerprint": "4e41fe1dfaaaeb99e7e7af65f4f7eca46dce8195abc9fb946e0d17bc365b430f", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "Open(!!params", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|42|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/views/inbox/components/inbox-list.tsx"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC006", "level": "error", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 28497, "scanner": "repobility-threat-engine", "fingerprint": "e033256efc4a7d91bdeaed2d1bb7010f67fa67a5267f58e1ab8117981c2a00cb", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "document.write(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|23|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ghost/admin/app/components/gh-html-iframe.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28495, "scanner": "repobility-threat-engine", "fingerprint": "e8b4e353770f92ddfc4598f8454d84c9e2053a9bd66631739478d5b0285ae8b0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(f", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e8b4e353770f92ddfc4598f8454d84c9e2053a9bd66631739478d5b0285ae8b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/components/modals/new-note-modal.tsx"}, "region": {"startLine": 175}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28494, "scanner": "repobility-threat-engine", "fingerprint": "bdfe9866eb7caef5829987ed9009a1908ba9cd047b65700ea98929e90d3885bf", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bdfe9866eb7caef5829987ed9009a1908ba9cd047b65700ea98929e90d3885bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/components/global/ap-avatar.tsx"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 28493, "scanner": "repobility-threat-engine", "fingerprint": "85077ad1e3b51cc302db7baa45dce5b5eddf33e2d6fd046f506bc828263a254c", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|85077ad1e3b51cc302db7baa45dce5b5eddf33e2d6fd046f506bc828263a254c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/activitypub/src/api/activitypub.ts"}, "region": {"startLine": 533}}}]}]}]}