{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /se"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT015", "name": "Remote install command pipes network code directly to a shell", "shortDescription": {"text": "Remote install command pipes network code directly to a shell"}, "fullDescription": {"text": "Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version."}, "properties": {"scanner": "repobility-agent-runtime", "category": "dependency", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 6 more): Same pattern found in 6 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/512"}, "properties": {"repository": "elastic/kibana", "repoUrl": "https://github.com/elastic/kibana.git", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 30323, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 30322, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 30317, "scanner": "repobility-journey-contract", "fingerprint": "993ac156229440e78c3ead1be7c463c4c7e4f23f7e711872fc66a99d225f252a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/serverless/projects/{param}/{param}", "correlation_key": "fp|993ac156229440e78c3ead1be7c463c4c7e4f23f7e711872fc66a99d225f252a", "backend_endpoint_count": 40}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/steps/cloud/purge_projects.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 30316, "scanner": "repobility-journey-contract", "fingerprint": "e67f7f24971d9d0040a3d6c187e475b8a1f41cf3e78cc4e941a2e98d4c30a0a6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/serverless/projects/observability", "correlation_key": "fp|e67f7f24971d9d0040a3d6c187e475b8a1f41cf3e78cc4e941a2e98d4c30a0a6", "backend_endpoint_count": 40}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/steps/cloud/purge_projects.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 30315, "scanner": "repobility-journey-contract", "fingerprint": "275920ad5bbc22bd24ffcf6da6c3a87b63b2e5227a99d6a14f33e34a41ad2803", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/serverless/projects/security", "correlation_key": "fp|275920ad5bbc22bd24ffcf6da6c3a87b63b2e5227a99d6a14f33e34a41ad2803", "backend_endpoint_count": 40}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/steps/cloud/purge_projects.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 30314, "scanner": "repobility-journey-contract", "fingerprint": "fc3f9602e14db31416a76c53b1c57f5e3ce58cdddbcf058dafe66b5ecef2a1ea", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/serverless/projects/elasticsearch", "correlation_key": "fp|fc3f9602e14db31416a76c53b1c57f5e3ce58cdddbcf058dafe66b5ecef2a1ea", "backend_endpoint_count": 40}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/steps/cloud/purge_projects.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: ANY /services/kibana/versions.yaml."}, "properties": {"repobilityId": 30313, "scanner": "repobility-access-control", "fingerprint": "6493afcd3f3b10d20fa6408ea710eefca3364983ed98dc2203e2f91a2aa37a83", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/services/kibana/versions.yaml", "method": "ANY", "scanner": "repobility-access-control", "framework": "Hapi", "correlation_key": "code|auth|. token|33|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/serverless/create_deploy_tag/info_sections/commit_info.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 30312, "scanner": "repobility-access-control", "fingerprint": "b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 40, "correlation_key": "fp|b2b220ffd00544f11577c95c6ebba1d9777fd8f8945f26d82bcf37e8c3177020", "auth_visible_percent": 0.0}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 30311, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express", "Next.js", "Hapi"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT015", "level": "warning", "message": {"text": "Remote install command pipes network code directly to a shell"}, "properties": {"repobilityId": 30310, "scanner": "repobility-agent-runtime", "fingerprint": "66278e56029467459fa6d3c38f581ee3ba041becc6185faf75bc7d7d154a8928", "category": "dependency", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File contains a remote download piped directly to a shell without visible checksum or signature verification.", "evidence": {"rule_id": "AGT015", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|66278e56029467459fa6d3c38f581ee3ba041becc6185faf75bc7d7d154a8928"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/kbn-api-contracts/README.md"}, "region": {"startLine": 171}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 30284, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f987c9ff9942781dc7de195fb087a8ec7ba70e754225fd352c58ba6763bb5bb", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "x-pack/platform/plugins/shared/licensing/common/license.ts", "correlation_key": "fp|4f987c9ff9942781dc7de195fb087a8ec7ba70e754225fd352c58ba6763bb5bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/platform/plugins/shared/licensing/common/license_update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 30283, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 30282, "scanner": "repobility-threat-engine", "fingerprint": "d6d7c1f65b113593f886d114c4f30dd064942a6ac747bdcce348618b9da7a298", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(getUrlForApp(def.appId)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|96|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/developer_examples/public/app.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 30272, "scanner": "repobility-threat-engine", "fingerprint": "407c08ca31639a1b903446f3bb17be42021020ad472cc33c1250ac5ceaf1923d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|88|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/lifecycle/aggregate_ftr_timing.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 30271, "scanner": "repobility-threat-engine", "fingerprint": "e171518252af5693e5fb8461d044cda4a8bd7d16dfbe62b33d3ce778b67c83b1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|154|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/pipeline-utils/test-failures/annotate.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 30270, "scanner": "repobility-threat-engine", "fingerprint": "b1865867b99580e45ba3ec29671694d0a2fd76eff0eef3faa3a74dc90d3a9ba1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|427|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/pipeline-utils/buildkite/client.ts"}, "region": {"startLine": 427}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 30321, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 30320, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 30319, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 30318, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30309, "scanner": "repobility-ai-code-hygiene", "fingerprint": "199d3005a81124b3683bdca31e899cc8acd6529a9713217720e95e1769ec575a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|199d3005a81124b3683bdca31e899cc8acd6529a9713217720e95e1769ec575a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/security_solution/public/reports/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30308, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b087dfa4aa71425e2bf8bcaf8dc4c73193bae26c7b48302a8a640fead96e3da4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|b087dfa4aa71425e2bf8bcaf8dc4c73193bae26c7b48302a8a640fead96e3da4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/security_solution/public/overview/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30307, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aabdd12673d8f56b6eab6644165dfa3c896e69817310380d74f0fa68cea04d0e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|aabdd12673d8f56b6eab6644165dfa3c896e69817310380d74f0fa68cea04d0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/security_solution/public/onboarding/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30306, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9f31ff56af6df7c64ce6ed3a06cde62a1431ae904870527c38e3fe92f317a794", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|9f31ff56af6df7c64ce6ed3a06cde62a1431ae904870527c38e3fe92f317a794"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/security_solution/public/explore/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30305, "scanner": "repobility-ai-code-hygiene", "fingerprint": "576b51c8ec89f52b251e67587c02a1f230feb4e02c3d40a67aeeaf7719fe5c02", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|576b51c8ec89f52b251e67587c02a1f230feb4e02c3d40a67aeeaf7719fe5c02"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/security_solution/public/dashboards/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30304, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91cd30a1c837acb736753d040ee179c74d65c968805a5cdfc99e7bbca9da4b2d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|91cd30a1c837acb736753d040ee179c74d65c968805a5cdfc99e7bbca9da4b2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/security_solution/public/cases/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30303, "scanner": "repobility-ai-code-hygiene", "fingerprint": "64cdec08acf6af2ff9cd7065e5517ed120e44b704cb4ccfa9ed6de2d96c01d17", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/solutions/security/plugins/elastic_assistant/public/src/hooks/licence/license_service.ts", "duplicate_line": 14, "correlation_key": "fp|64cdec08acf6af2ff9cd7065e5517ed120e44b704cb4ccfa9ed6de2d96c01d17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/security_solution/common/license/license.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30302, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c1e0b3ce23f6e4d9383cb60301ba0630f9f79ff7c76816cee7e8e7765b4d603", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/shared/fleet/common/services/license.ts", "duplicate_line": 1, "correlation_key": "fp|0c1e0b3ce23f6e4d9383cb60301ba0630f9f79ff7c76816cee7e8e7765b4d603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/security_solution/common/license/license.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30301, "scanner": "repobility-ai-code-hygiene", "fingerprint": "332057ab64ff9a94c71ea1036facb5f2f3658cf1dd1b4193d6043878dfcce391", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/shared/fleet/common/services/license.ts", "duplicate_line": 1, "correlation_key": "fp|332057ab64ff9a94c71ea1036facb5f2f3658cf1dd1b4193d6043878dfcce391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/elastic_assistant/public/src/hooks/licence/license_service.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43e2bda6d535a0966e0bcaac892bcd87493515bef7b19e0e197adc291e6e44a4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|43e2bda6d535a0966e0bcaac892bcd87493515bef7b19e0e197adc291e6e44a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/plugins/ecs_data_quality_dashboard/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f44358df2e87108bcbebbebc461b5db84017f97581c528879e8e4eca8f7f7f3b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|f44358df2e87108bcbebbebc461b5db84017f97581c528879e8e4eca8f7f7f3b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/packages/upselling/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bf670e354df9537e942cd85b1d8a17af48c417556f425934401ca44317cb2758", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|bf670e354df9537e942cd85b1d8a17af48c417556f425934401ca44317cb2758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/packages/side-nav/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "65543d95396512ab4c09c4e46c9379c51945352d7993740ecad62a12bcf92b51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|65543d95396512ab4c09c4e46c9379c51945352d7993740ecad62a12bcf92b51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/packages/navigation/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2e592019178bce3b1bb6c23e3d7bc50e6177d607a84f8add67a454b945b71f78", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|2e592019178bce3b1bb6c23e3d7bc50e6177d607a84f8add67a454b945b71f78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/packages/features/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de00917084cc5de4a5c2d3b9bda4ae82e2786243c9482c79a25c540e5e4664db", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|de00917084cc5de4a5c2d3b9bda4ae82e2786243c9482c79a25c540e5e4664db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/packages/ecs-data-quality-dashboard/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ca67dcaabab3066dbb3fa832b6ae0d9d93094690e860e8d7b4c34c2aab9bbee", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|8ca67dcaabab3066dbb3fa832b6ae0d9d93094690e860e8d7b4c34c2aab9bbee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/solutions/security/packages/connectors/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f824456b5872c5886c4c8707af49265fb486ce42b262b96359e051243a9f643", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/shared/actions/server/lib/license_state.ts", "duplicate_line": 117, "correlation_key": "fp|8f824456b5872c5886c4c8707af49265fb486ce42b262b96359e051243a9f643"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/platform/plugins/shared/maintenance_windows/server/lib/license_state.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "09e633d3fc9973afc083a00be5717cdeab426c7313da05b9403bb142f44d3585", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/shared/alerting/server/lib/license_state.ts", "duplicate_line": 31, "correlation_key": "fp|09e633d3fc9973afc083a00be5717cdeab426c7313da05b9403bb142f44d3585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/platform/plugins/shared/maintenance_windows/server/lib/license_state.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3bc4d6b374edafc8670c8e7948022ee5d9de394706e7f97c3f4075c25528fb63", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/shared/actions/server/lib/license_state.ts", "duplicate_line": 49, "correlation_key": "fp|3bc4d6b374edafc8670c8e7948022ee5d9de394706e7f97c3f4075c25528fb63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/platform/plugins/shared/alerting/server/lib/license_state.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f870092006b2aed652a402b31a958b5a8c13cc3b9dd2a5d7c9515baae332478d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/private/index_lifecycle_management/server/services/license.ts", "duplicate_line": 31, "correlation_key": "fp|f870092006b2aed652a402b31a958b5a8c13cc3b9dd2a5d7c9515baae332478d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/platform/plugins/private/snapshot_restore/server/services/license.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c6e1b4c71b5cedd124fc28f9dfad0d098ee38a5a0f7e3fe787256c8b91af838", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/private/painless_lab/server/services/license.ts", "duplicate_line": 1, "correlation_key": "fp|6c6e1b4c71b5cedd124fc28f9dfad0d098ee38a5a0f7e3fe787256c8b91af838"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/platform/plugins/private/snapshot_restore/server/services/license.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a6543ae8ad89179fb1e890d67588a74a7f9893c98ed076fba46f16513cf37983", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/private/index_lifecycle_management/server/services/license.ts", "duplicate_line": 33, "correlation_key": "fp|a6543ae8ad89179fb1e890d67588a74a7f9893c98ed076fba46f16513cf37983"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/platform/plugins/private/rollup/server/services/license.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48519f7b4051ee0e375d01f1db2a1e47f203ef8f4b425f079c1fa4a1120384ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/private/painless_lab/server/services/license.ts", "duplicate_line": 8, "correlation_key": "fp|48519f7b4051ee0e375d01f1db2a1e47f203ef8f4b425f079c1fa4a1120384ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/platform/plugins/private/rollup/server/services/license.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30286, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7419492a486a66bf3724fa8d75e4afbcfa2c8819a4c7edd597c768ea2ccfc8b0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "x-pack/platform/plugins/private/index_lifecycle_management/server/services/license.ts", "duplicate_line": 31, "correlation_key": "fp|7419492a486a66bf3724fa8d75e4afbcfa2c8819a4c7edd597c768ea2ccfc8b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "x-pack/platform/plugins/private/painless_lab/server/services/license.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 30285, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9e2dff299d70ebd016e99a5332bd3e4ed9b581179c7deacc1ef0c3fc9e51fb5b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js", "duplicate_line": 1, "correlation_key": "fp|9e2dff299d70ebd016e99a5332bd3e4ed9b581179c7deacc1ef0c3fc9e51fb5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/platform/packages/shared/kbn-securitysolution-ecs/.eslintrc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 30279, "scanner": "repobility-threat-engine", "fingerprint": "edf9927304e8f32b066e7a01486d486c545ac3f1529cbd5afaa0a90d82054a19", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log(`Triggered by Buildkite build: ${process.env.BUILDKITE_BUILD_URL}`)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|. token|26|console.log triggered by buildkite build: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/generate_serverless_changelog.js"}, "region": {"startLine": 269}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 30278, "scanner": "repobility-threat-engine", "fingerprint": "0c9781691811315055859101c389a05a59bef0ba8e567b90af459187fc4587eb", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "console.log('---Updating puppeteer package to version %s', process.env.PUPPETEER_VERSION)", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|. token|14|console.log ---updating puppeteer package to version s token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/pipelines/chromium_linux_build/issue_feedback/entry.js"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 30277, "scanner": "repobility-threat-engine", "fingerprint": "6ae6e258772049fe1bad8c2ef0406f4a0dbe5e82826b503b1c5b5bc3a7acde6e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|6ae6e258772049fe1bad8c2ef0406f4a0dbe5e82826b503b1c5b5bc3a7acde6e"}}}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 30276, "scanner": "repobility-threat-engine", "fingerprint": "02e246a8ffd2ec081db248aeff2efd4582a5136ac6d2c4702369b7b05d4a6c61", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '//\\s*eslint-disable' detected on same line", "evidence": {"match": "require(`${", "reason": "Safe pattern '//\\s*eslint-disable' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|02e246a8ffd2ec081db248aeff2efd4582a5136ac6d2c4702369b7b05d4a6c61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/platform/packages/shared/kbn-securitysolution-ecs/.eslintrc.js"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 30275, "scanner": "repobility-threat-engine", "fingerprint": "baf89a05182aedb658ab923f90e50903ec534c3adb1b4e3da1bc39e777523833", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '//\\s*eslint-disable' detected on same line", "evidence": {"match": "require(`${", "reason": "Safe pattern '//\\s*eslint-disable' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|baf89a05182aedb658ab923f90e50903ec534c3adb1b4e3da1bc39e777523833"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/platform/packages/shared/kbn-cell-actions/.eslintrc.js"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 30273, "scanner": "repobility-threat-engine", "fingerprint": "7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7ad821c68fd7d69c56ceaf843dc975879999279796dea3d5e69af832688addea"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 30269, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 30265, "scanner": "repobility-threat-engine", "fingerprint": "f79b4c6ce4eb0d7d776ad2633f739e1a0f46e1ad817ef3a9572abdaf1937f71a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f79b4c6ce4eb0d7d776ad2633f739e1a0f46e1ad817ef3a9572abdaf1937f71a"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 30261, "scanner": "repobility-threat-engine", "fingerprint": "a600c5f1b687e0363f6cd72bae70904050dbf8acc3244366b5b6101b65c34836", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a600c5f1b687e0363f6cd72bae70904050dbf8acc3244366b5b6101b65c34836"}}}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 30281, "scanner": "repobility-threat-engine", "fingerprint": "2c8b3ce60f542223f5ecbe81976a8bfd87fb27b0b927c6085301a9c31d0010f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2c8b3ce60f542223f5ecbe81976a8bfd87fb27b0b927c6085301a9c31d0010f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/generate_serverless_changelog.js"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 30280, "scanner": "repobility-threat-engine", "fingerprint": "b54d77e91a5e55c77988eaa196ef1f62f51c84cd28629e9b5d352e65f4b12e55", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b54d77e91a5e55c77988eaa196ef1f62f51c84cd28629e9b5d352e65f4b12e55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/pipelines/pull_request/pipeline.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 30268, "scanner": "repobility-threat-engine", "fingerprint": "757833ca7d18faab4ccfd52a64965a5a0c34ac3abb8ff874336d1fb06cb85321", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|757833ca7d18faab4ccfd52a64965a5a0c34ac3abb8ff874336d1fb06cb85321"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/pipelines/chromium_linux_build/issue_feedback/entry.js"}, "region": {"startLine": 205}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 30267, "scanner": "repobility-threat-engine", "fingerprint": "fea3ac8b66aa3cb14e941fe6ebb48adcf60e9f59076e3f00b0f75e3d4836c4c9", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fea3ac8b66aa3cb14e941fe6ebb48adcf60e9f59076e3f00b0f75e3d4836c4c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/pipeline-utils/buildkite/parse_link_header.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 30266, "scanner": "repobility-threat-engine", "fingerprint": "ddada5bc29a96c786dfa6bdfaed486e433de6b477529a3087ecfe279a6cf6169", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.get(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ddada5bc29a96c786dfa6bdfaed486e433de6b477529a3087ecfe279a6cf6169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/pipeline-utils/buildkite/client.ts"}, "region": {"startLine": 213}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 30264, "scanner": "repobility-threat-engine", "fingerprint": "625704df5286cc599fe4158d3fa4ec956e2dd444c3179033e794b7b608792147", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|625704df5286cc599fe4158d3fa4ec956e2dd444c3179033e794b7b608792147"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/lifecycle/aggregate_ftr_timing.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 30263, "scanner": "repobility-threat-engine", "fingerprint": "0bb642d44550658084efb8c476d1708ef186b57a80d2ecfb630fe720d3a963df", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(cmd", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0bb642d44550658084efb8c476d1708ef186b57a80d2ecfb630fe720d3a963df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/pipeline-utils/test-failures/annotate.ts"}, "region": {"startLine": 140}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 30262, "scanner": "repobility-threat-engine", "fingerprint": "cc762461558ce80a5a7bd9b76c02463ee71bd59acbe9e42959b94212e2303271", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "execSync(command", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc762461558ce80a5a7bd9b76c02463ee71bd59acbe9e42959b94212e2303271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/pipeline-utils/affected-packages/strategy_moon.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 30260, "scanner": "repobility-threat-engine", "fingerprint": "9fc7a4fff8c7056bb50ba214c0a2fc8d9364f4030a8775df8eae73a536159a85", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([name, url]) => `<div>:link: ${link(name, url)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9fc7a4fff8c7056bb50ba214c0a2fc8d9364f4030a8775df8eae73a536159a85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/scripts/serverless/create_deploy_tag/info_sections/useful_links.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 30259, "scanner": "repobility-threat-engine", "fingerprint": "c6c89e8cf13883e4a631a5bb1c3cad907bf77afc8e7db48d04dea96bbd6722ca", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((n) => ` - ${n}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c6c89e8cf13883e4a631a5bb1c3cad907bf77afc8e7db48d04dea96bbd6722ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/pipeline-utils/ci-stats/pick_test_group_run_order/run_groups.ts"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 30258, "scanner": "repobility-threat-engine", "fingerprint": "3edd085172decfaa86bff399f4e94799569b76434940affa2167c50de1509af9", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((pattern) => `${platformPrefix}${pattern}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3edd085172decfaa86bff399f4e94799569b76434940affa2167c50de1509af9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/pipeline-utils/ci-stats/pick_test_group_run_order/jest_configs.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 30257, "scanner": "repobility-threat-engine", "fingerprint": "78212832abcedcd363dbc00906df27f9afe85c00fbb350e2af69f030a713ccdd", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Path.resolve(input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|. token|112|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/debug-oas/scripts/extract_structural_oas_issues.js"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 30274, "scanner": "repobility-threat-engine", "fingerprint": "a21f2d031289d0757b1e755638ed124e05176f23fd7e74c6fde7158d0e16bb89", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(resolve", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a21f2d031289d0757b1e755638ed124e05176f23fd7e74c6fde7158d0e16bb89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".buildkite/pipeline-utils/ci-stats/get_tests_from_config.ts"}, "region": {"startLine": 22}}}]}]}]}