{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB004", "name": "robots.txt blocks the full public site", "shortDescription": {"text": "robots.txt blocks the full public site"}, "fullDescription": {"text": "`User-agent: *` with `Disallow: /` prevents normal indexing and can also hide public docs from AI agents unless there is a clear exception."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "A frontend string references a same-origin API path that Repobility could not match to backend route inventory. This often causes live 404s in user journeys."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/:itemId."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /:id."}, "fullDescription": {"text": "An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /:id."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "CWE-285", "owasp": "API5:2023 Broken Function Level Authorization"}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 32.2% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 32.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Only 32.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKR003", "name": "Compose service `oikos` image uses the latest tag", "shortDescription": {"text": "Compose service `oikos` image uses the latest tag"}, "fullDescription": {"text": "The latest tag is mutable and can change without a code review, producing different images from the same source."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC000", "name": "Docker Compose file could not be parsed", "shortDescription": {"text": "Docker Compose file could not be parsed"}, "fullDescription": {"text": "Repobility could not parse this Compose file as YAML, so service-level Docker security checks were skipped."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC105", "name": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted ove", "shortDescription": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "fullDescription": {"text": "Always set HttpOnly=true, Secure=true (in production), SameSite=Lax or Strict. For Express: `res.cookie(name, val, { httpOnly: true, secure: true, sameSite: 'lax' })`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "AI coding agents increasingly read llms.txt to find canonical docs and API workflows. Without it, agents are more likely to browse pages repeatedly or use stale instructions."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "A sitemap gives search engines, docs crawlers, and AI agents a structured list of public pages. Without one, important docs and product pages are easy to miss."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "CWE-285", "owasp": "WSTG-AUTHZ"}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Installing recommended packages often pulls in unnecessary runtime surface area."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Files named as final, fixed, copy, new, or backup are often temporary patch artifacts. They may be legitimate, but they deserve review before becoming production surface area."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password (and 15 more): Same pattern found in 15 additional files. Review if needed.", "shortDescription": {"text": "[SEC001] Hardcoded Password (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC135", "name": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 3 more): Same pattern found in 3 additional files. ", "shortDescription": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add the project's auth decorator/middleware: `@login_required` (Django/Flask), `@permission_classes([IsAuthenticated])` (DRF), `Depends(get_current_user)` (FastAPI), `requireAuth` middleware (Express). For genuinely public endpoints, add a `# public-endpoint` marker comment so future scans skip them."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:listId/items."}, "fullDescription": {"text": "A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:listId/items."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "CWE-639", "owasp": "API1:2023 Broken Object Level Authorization"}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC036", "name": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF ", "shortDescription": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-20"}, "fullDescription": {"text": "Strip `\\r\\n` before setting headers:\n  safe = value.replace('\\r','').replace('\\n','')\n  response.headers['X-Custom'] = safe\nMost modern frameworks (Django 3+, Express 4.10+) already do this \u2014 but custom header-setting code often doesn't. Prefer framework methods (`response.set_cookie`) over manual header dict assignment."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/setup-node` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `node:22-slim` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `node:22-slim` not pinned by digest"}, "fullDescription": {"text": "`FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "Express DELETE /:listId/items/checked has no auth", "shortDescription": {"text": "Express DELETE /:listId/items/checked has no auth"}, "fullDescription": {"text": "Express route DELETE /:listId/items/checked declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CLAUDE_CODE_OAUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1107"}, "properties": {"repository": "ulsklyc/oikos", "repoUrl": "https://github.com/ulsklyc/oikos", "branch": "main"}, "results": [{"ruleId": "WEB004", "level": "warning", "message": {"text": "robots.txt blocks the full public site"}, "properties": {"repobilityId": 109423, "scanner": "repobility-web-presence", "fingerprint": "2ddf9fdc45881d6bdc147bcb3c6de9d6afa48a973847300ac76842f3ac491c91", "category": "quality", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "robots.txt contains a global disallow rule for the root path.", "evidence": {"rule_id": "WEB004", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309"], "correlation_key": "fp|2ddf9fdc45881d6bdc147bcb3c6de9d6afa48a973847300ac76842f3ac491c91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 109421, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109417, "scanner": "repobility-journey-contract", "fingerprint": "ee6524aeda859b49bf21ab07574c8a38a972b4b6e506d1e10562082082d624cf", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/dashboard", "correlation_key": "fp|ee6524aeda859b49bf21ab07574c8a38a972b4b6e506d1e10562082082d624cf", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/index.js"}, "region": {"startLine": 296}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109416, "scanner": "repobility-journey-contract", "fingerprint": "e08b7d4b50ff2a655b1665c48a4fa1136b8db03043629ad76983cc5d2b352ab0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1", "correlation_key": "fp|e08b7d4b50ff2a655b1665c48a4fa1136b8db03043629ad76983cc5d2b352ab0", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/index.js"}, "region": {"startLine": 295}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109415, "scanner": "repobility-journey-contract", "fingerprint": "c0efa01bc406722d70c21935eca4a6e76cf5b2724c643d96924bf95028e9369d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1", "correlation_key": "fp|c0efa01bc406722d70c21935eca4a6e76cf5b2724c643d96924bf95028e9369d", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/index.js"}, "region": {"startLine": 281}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109414, "scanner": "repobility-journey-contract", "fingerprint": "95ab5b998d6a3b5fb51b073be587339bb6276bdf79356ea19d836e65bb200b74", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1", "correlation_key": "fp|95ab5b998d6a3b5fb51b073be587339bb6276bdf79356ea19d836e65bb200b74", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/index.js"}, "region": {"startLine": 280}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109413, "scanner": "repobility-journey-contract", "fingerprint": "1ffcbaadbbd104599e36cee6b107e809a8dd3bde337dedab92dea427e0f0507e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth", "correlation_key": "fp|1ffcbaadbbd104599e36cee6b107e809a8dd3bde337dedab92dea427e0f0507e", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/index.js"}, "region": {"startLine": 194}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109412, "scanner": "repobility-journey-contract", "fingerprint": "c8b86c4fd67f6bfe66eb7d36fbc0ac449afd6e635e029fe5a7e5e6c9ef19123d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/backup/database", "correlation_key": "fp|c8b86c4fd67f6bfe66eb7d36fbc0ac449afd6e635e029fe5a7e5e6c9ef19123d", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/settings.js"}, "region": {"startLine": 851}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109411, "scanner": "repobility-journey-contract", "fingerprint": "365a56481d04c96f6168547a359710b1d7a88a89e8dc92e08d390335438f3c56", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/calendar/google/auth", "correlation_key": "fp|365a56481d04c96f6168547a359710b1d7a88a89e8dc92e08d390335438f3c56", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/settings.js"}, "region": {"startLine": 603}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109410, "scanner": "repobility-journey-contract", "fingerprint": "19d836b7520dac38a1b2c6bc36c7a8e996e5adc708632b15a9acab99582917ac", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/oidc/start", "correlation_key": "fp|19d836b7520dac38a1b2c6bc36c7a8e996e5adc708632b15a9acab99582917ac", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/login.js"}, "region": {"startLine": 144}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109409, "scanner": "repobility-journey-contract", "fingerprint": "07f75b6f4bda63080cdeded87d41d3731699ed4145b64ed31db169d4719f1718", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth/oidc/config", "correlation_key": "fp|07f75b6f4bda63080cdeded87d41d3731699ed4145b64ed31db169d4719f1718", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/login.js"}, "region": {"startLine": 132}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109408, "scanner": "repobility-journey-contract", "fingerprint": "5b31e7af8c6e8f7c3cb23a89e6dd4488ee98a62f16be422451c1194a28a9638c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/documents/{param}/download", "correlation_key": "fp|5b31e7af8c6e8f7c3cb23a89e6dd4488ee98a62f16be422451c1194a28a9638c", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/documents.js"}, "region": {"startLine": 297}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109407, "scanner": "repobility-journey-contract", "fingerprint": "67fac5b281b97626717924237bd5e1086d45144ee72d7710a4c28cc7bbfa50c9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/weather/icon", "correlation_key": "fp|67fac5b281b97626717924237bd5e1086d45144ee72d7710a4c28cc7bbfa50c9", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/dashboard.js"}, "region": {"startLine": 839}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109406, "scanner": "repobility-journey-contract", "fingerprint": "e6245a1b60332ce5c6f18f507009902fb89f74f0e9d04488bb76f6135c559578", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/contacts/{param}/vcard", "correlation_key": "fp|e6245a1b60332ce5c6f18f507009902fb89f74f0e9d04488bb76f6135c559578", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/contacts.js"}, "region": {"startLine": 250}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109405, "scanner": "repobility-journey-contract", "fingerprint": "fb0fd375406b9f98ab2f212c1db352b65e68db826d0e80e3a5d567fe55c452f2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/contacts/{param}/vcard", "correlation_key": "fp|fb0fd375406b9f98ab2f212c1db352b65e68db826d0e80e3a5d567fe55c452f2", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/contacts.js"}, "region": {"startLine": 246}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109404, "scanner": "repobility-journey-contract", "fingerprint": "6db8785ef656e6038153bd2515e2aea4e5fa91f0b62b22ef6c6324993e49ec7d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/budget/export", "correlation_key": "fp|6db8785ef656e6038153bd2515e2aea4e5fa91f0b62b22ef6c6324993e49ec7d", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/budget.js"}, "region": {"startLine": 377}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 109403, "scanner": "repobility-journey-contract", "fingerprint": "ebe5cb76f6f0977c3bef39b861b757449447f22105c8800463d7050ecb54f5e4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1", "correlation_key": "fp|ebe5cb76f6f0977c3bef39b861b757449447f22105c8800463d7050ecb54f5e4", "backend_endpoint_count": 211}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/api.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/:itemId."}, "properties": {"repobilityId": 109401, "scanner": "repobility-access-control", "fingerprint": "5d0158dee69055f9966a2e6f508989a55b01b17823779f37f79e86603ac02b72", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/items/:itemId", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/shopping.js|256|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 256}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /categories/:catId."}, "properties": {"repobilityId": 109400, "scanner": "repobility-access-control", "fingerprint": "068e9153e7be2d4fbf764e1bbc4b8e8a1308b1dc0a5cd61bd2634c285fede067", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/categories/:catId", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/shopping.js|128|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 128}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /supply-requests."}, "properties": {"repobilityId": 109399, "scanner": "repobility-access-control", "fingerprint": "005b52e9cc77b1279cf397a3bef07ffd4b95cba451a21a1354ae960a71105b37", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/supply-requests", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|1010|cwe-285", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 1010}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /decay-tasks/:taskId."}, "properties": {"repobilityId": 109398, "scanner": "repobility-access-control", "fingerprint": "fb1dc979bb5128ee3c6be07e22e09a45df2e840679506f81feb92f79c03ed62c", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/decay-tasks/:taskId", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|997|cwe-285", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 997}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /work-sessions/check-out."}, "properties": {"repobilityId": 109397, "scanner": "repobility-access-control", "fingerprint": "c9880ed1d62896443b5de2492a69b6f0afd56d3c2c343de7330683e3cb1a4c12", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/work-sessions/check-out", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|869|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 869}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /visits/:id."}, "properties": {"repobilityId": 109396, "scanner": "repobility-access-control", "fingerprint": "7e40e0ef6faf85f776b4768377d617ee36519a22a5e17f3dfbb9e61137004b05", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/visits/:id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|852|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 852}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /visits/:id."}, "properties": {"repobilityId": 109395, "scanner": "repobility-access-control", "fingerprint": "cad0e0d20cd70aab46a641310fbd5955326ab22ab5feabef912b681e6e763365", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/visits/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|724|cwe-285", "identity_targets": ["authenticated", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 724}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /visits."}, "properties": {"repobilityId": 109394, "scanner": "repobility-access-control", "fingerprint": "b10cd0a2bea9fab789747cafaf484f30755f2058655247ddd5b4097d5d271598", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/visits", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|626|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 626}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /work-sessions."}, "properties": {"repobilityId": 109393, "scanner": "repobility-access-control", "fingerprint": "2b015b536f1483e1c0bb9508ba768b92f24a5cc2e8e9667e31e9dc5dd731c975", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/work-sessions", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|609|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 609}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /oidc/callback."}, "properties": {"repobilityId": 109392, "scanner": "repobility-access-control", "fingerprint": "98c172893e467ed5a4bfdc8e8b229f8ebcce5216c669ee5fb074878567c861fd", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/oidc/callback", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/auth.js|593|cwe-285", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 593}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /:id."}, "properties": {"repobilityId": 109391, "scanner": "repobility-access-control", "fingerprint": "06bf53b41c4201f3b9fc5e005fe8d6235fd6c4395f31f11a8ece6dc5bc43d379", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "PUT", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/documents.js|228|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/documents.js"}, "region": {"startLine": 228}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /worker."}, "properties": {"repobilityId": 109390, "scanner": "repobility-access-control", "fingerprint": "98028a927ffee9b31d6fce41b3f5e9e8265dd5c0dc39cceeacf7c5e2809319ad", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/worker", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|499|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 499}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /openapi.json."}, "properties": {"repobilityId": 109389, "scanner": "repobility-access-control", "fingerprint": "9a3341e0ad4c3b2d965a03a5dede98f420628385969984887b6f347a6c723da1", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/openapi.json", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/index.js|277|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/index.js"}, "region": {"startLine": 277}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api/v1/openapi.json."}, "properties": {"repobilityId": 109388, "scanner": "repobility-access-control", "fingerprint": "8529fe8c02039972f45eb17f7ea340449c1a90d960c766914d6fe85c66878782", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api/v1/openapi.json", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/index.js|275|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/index.js"}, "region": {"startLine": 275}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /users/:id."}, "properties": {"repobilityId": 109387, "scanner": "repobility-access-control", "fingerprint": "98c884f98275229d202007f5b2581ea0f6d3c79c20cea07bde0023bfb108b195", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users/:id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/auth.js|1107|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 1107}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PATCH /users/:id."}, "properties": {"repobilityId": 109386, "scanner": "repobility-access-control", "fingerprint": "d6e1c5e483e457e14875bf14a2f6ed130c6214d0193dbcfc7310890e135e1101", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/users/:id", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/auth.js|930|cwe-285", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 930}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /api-tokens/:id."}, "properties": {"repobilityId": 109385, "scanner": "repobility-access-control", "fingerprint": "93a0a3f5a51da4de74099a26d9a1281c2d499ec21b33f55c7d7dab30bf0e5dc7", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api-tokens/:id", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/auth.js|825|cwe-285", "identity_targets": ["authenticated", "owner", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 825}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /api-tokens."}, "properties": {"repobilityId": 109384, "scanner": "repobility-access-control", "fingerprint": "345634d207445f8cbfbd182fd6809b71cae0cdb207efcda2db0dbfc745d57118", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api-tokens", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/auth.js|787|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 787}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /api-tokens."}, "properties": {"repobilityId": 109383, "scanner": "repobility-access-control", "fingerprint": "58470bdcbf7b080a8c9a459200e64095e00d572c6c15ce8595ed7d60a71f31cc", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/api-tokens", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/auth.js|772|cwe-285", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 772}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /setup."}, "properties": {"repobilityId": 109382, "scanner": "repobility-access-control", "fingerprint": "fd2943f1aaa8c636d785233ce604efdcd7821b9c194356b932a61442593b9620", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/setup", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/auth.js|645|cwe-285", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 645}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 32.2% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 109371, "scanner": "repobility-access-control", "fingerprint": "4fefc9c23b7dc721b81b402d9e105a6645547decbbdf58461df5c9e58012cea8", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 211, "correlation_key": "fp|4fefc9c23b7dc721b81b402d9e105a6645547decbbdf58461df5c9e58012cea8", "auth_visible_percent": 32.2}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 109370, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `oikos` image uses the latest tag"}, "properties": {"repobilityId": 109366, "scanner": "repobility-docker", "fingerprint": "6425fe8433df49c942105e8e5a257f2209bb76978284cb52b6de1bc4326ce96d", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/ulsklyc/oikos:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6425fe8433df49c942105e8e5a257f2209bb76978284cb52b6de1bc4326ce96d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC000", "level": "warning", "message": {"text": "Docker Compose file could not be parsed"}, "properties": {"repobilityId": 109365, "scanner": "repobility-docker", "fingerprint": "dc1082497b5342c0309f8a7294179feda03a929a3ea824fbcc6adaa4c9695a57", "category": "docker", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "while scanning for the next token\nfound character '%' that cannot start any token\n  in \"<unicode string>\", line 1, column 2:\n    {% set tpl = ix_lib.base.render.R ... \n     ^", "evidence": {"rule_id": "DKC000", "scanner": "repobility-docker", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/"], "correlation_key": "fp|dc1082497b5342c0309f8a7294179feda03a929a3ea824fbcc6adaa4c9695a57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "deploy/truenas/templates/docker-compose.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 109363, "scanner": "repobility-docker", "fingerprint": "b98f6b151ac585eebca17f5d769b66cb6471a0448260fe91da3a0d2a01111c8b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b98f6b151ac585eebca17f5d769b66cb6471a0448260fe91da3a0d2a01111c8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 109362, "scanner": "repobility-docker", "fingerprint": "46ff51bf967b822e141dbd3edb8b2223c7e9aa7114d41a32f6e7ec1564d4c642", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|46ff51bf967b822e141dbd3edb8b2223c7e9aa7114d41a32f6e7ec1564d4c642", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 109351, "scanner": "repobility-threat-engine", "fingerprint": "344222f8049a79b78fec076e663867d6679a911ccca028a5bc3492656da2bceb", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|93|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/installer/i18n-mini.js"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 109350, "scanner": "repobility-threat-engine", "fingerprint": "b73ff0100dc65970b9dab75e284380f705946f15d43621db27c2b7a411729ad9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/ics-parser.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 109349, "scanner": "repobility-threat-engine", "fingerprint": "1a679cdb012382ab387e769523334789cd6712761398d2f8d9d3b4e145c5be39", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`^${prop}(?:;[^:]*)?:(.*)$`, 'im');\n      const m  = re.exec(block);\n      return m ? m[1", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1a679cdb012382ab387e769523334789cd6712761398d2f8d9d3b4e145c5be39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/ics-parser.js"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC105", "level": "warning", "message": {"text": "[SEC105] Cookie missing HttpOnly/Secure flag: Session cookie missing HttpOnly (allows JS reads), Secure (transmitted over plain HTTP), or SameSite (CSRF). Each on its own is a finding."}, "properties": {"repobilityId": 109344, "scanner": "repobility-threat-engine", "fingerprint": "7ffa3e21d9b541b7e5ba5af300280856b3afd0c12ec2a76d9313325f2749d694", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".cookie('csrf-token', req.session.csrfToken, {\n    httpOnly: false", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC105", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7ffa3e21d9b541b7e5ba5af300280856b3afd0c12ec2a76d9313325f2749d694"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/middleware/csrf.js"}, "region": {"startLine": 39}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 109334, "scanner": "repobility-threat-engine", "fingerprint": "7694bb632d677242e12a07f00b647057e1ec37b63bd7563960dfecba7e773b9c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7694bb632d677242e12a07f00b647057e1ec37b63bd7563960dfecba7e773b9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sw.js"}, "region": {"startLine": 224}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 109333, "scanner": "repobility-threat-engine", "fingerprint": "17dc753f0dbfc18aa157c6fc240a8f29b588bbc264aafdd7c3b5393701f57d91", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|17dc753f0dbfc18aa157c6fc240a8f29b588bbc264aafdd7c3b5393701f57d91"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sw-register.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 109332, "scanner": "repobility-threat-engine", "fingerprint": "d3879fae0cd4cbe6e05df6e6b230d180e47b44745cf15cba4800bec704ca294f", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d3879fae0cd4cbe6e05df6e6b230d180e47b44745cf15cba4800bec704ca294f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/login.js"}, "region": {"startLine": 124}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 109324, "scanner": "repobility-agent-runtime", "fingerprint": "7e6e9e8b038aa31162edd2ecb12a35f4c7cc3c0e471aeb337396f2c57b310772", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|7e6e9e8b038aa31162edd2ecb12a35f4c7cc3c0e471aeb337396f2c57b310772"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/router.js"}, "region": {"startLine": 172}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 109323, "scanner": "repobility-agent-runtime", "fingerprint": "14ecea14ab0ebcc1f4a698ec0ae7b3c07bfc68811bd645e9b291809aaea932e6", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|14ecea14ab0ebcc1f4a698ec0ae7b3c07bfc68811bd645e9b291809aaea932e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/tasks.js"}, "region": {"startLine": 1334}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 109322, "scanner": "repobility-agent-runtime", "fingerprint": "ee54c5ca73305092d4c5c704d541486660622711184dd04a020b1a38e4575169", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|ee54c5ca73305092d4c5c704d541486660622711184dd04a020b1a38e4575169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/setup.js"}, "region": {"startLine": 112}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 109321, "scanner": "repobility-agent-runtime", "fingerprint": "64cc6d31f6654a8713585a1c0fc28539b1de60cd20446be61d04a0af22c32d70", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|64cc6d31f6654a8713585a1c0fc28539b1de60cd20446be61d04a0af22c32d70"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/settings.js"}, "region": {"startLine": 247}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 109320, "scanner": "repobility-agent-runtime", "fingerprint": "d351d0cfe02cf0e6868da04d3c731290ad94db090bbcb2f1e84158cc4fcc914f", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|d351d0cfe02cf0e6868da04d3c731290ad94db090bbcb2f1e84158cc4fcc914f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/login.js"}, "region": {"startLine": 124}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 109319, "scanner": "repobility-agent-runtime", "fingerprint": "27dc3a25abb429c13375b0f1ef65662cc525150c602b51c15fe4c83fc3b776a1", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|27dc3a25abb429c13375b0f1ef65662cc525150c602b51c15fe4c83fc3b776a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/calendar.js"}, "region": {"startLine": 369}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 109422, "scanner": "repobility-web-presence", "fingerprint": "12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|12d1aab6ee1a443feb14574bf5d0fbdb1f0693f388e4ba974e05b2dfd78786e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 109420, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 109419, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 109418, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 109402, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 109368, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "oikos", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 109367, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "oikos", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 109364, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 109361, "scanner": "repobility-docker", "fingerprint": "524d7697973da960281e047ef82130061b529d3ea3f58fdd361fd04bf9100b69", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|524d7697973da960281e047ef82130061b529d3ea3f58fdd361fd04bf9100b69"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 109360, "scanner": "repobility-docker", "fingerprint": "9dba8b01f1838c10f5baf40a28b5023d73fcddf0605e10270db64ddd89e957ec", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9dba8b01f1838c10f5baf40a28b5023d73fcddf0605e10270db64ddd89e957ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109280, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9317f760083b053e38ffe7b28d1b0fdc05b3f985892fb9f85be27c72ddc669f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-calendar.js", "duplicate_line": 4, "correlation_key": "fp|a9317f760083b053e38ffe7b28d1b0fdc05b3f985892fb9f85be27c72ddc669f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-tasks.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109279, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b3895ebd6a9320cbd0461cb36246df7a9fa8405c8b7fc2920a283aa4b4df80a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-multi-assignment.js", "duplicate_line": 2, "correlation_key": "fp|4b3895ebd6a9320cbd0461cb36246df7a9fa8405c8b7fc2920a283aa4b4df80a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-tasks.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109278, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cf040d7c9b0059af6e45770fcd196ea1b01d190222b25adb1f758a0f99f86492", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-shopping.js", "duplicate_line": 1, "correlation_key": "fp|cf040d7c9b0059af6e45770fcd196ea1b01d190222b25adb1f758a0f99f86492"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-tasks.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109277, "scanner": "repobility-ai-code-hygiene", "fingerprint": "212226ce27dc553d56afbc0e867db7084bb23aa2b1b89b522f0c9a59bdd0688d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-calendar.js", "duplicate_line": 4, "correlation_key": "fp|212226ce27dc553d56afbc0e867db7084bb23aa2b1b89b522f0c9a59bdd0688d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-shopping.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109276, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99b9fa4c183a2da1b340fff8cda5ae910aae26705ad5e8f8a4a0a5db73027b0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-multi-assignment.js", "duplicate_line": 2, "correlation_key": "fp|99b9fa4c183a2da1b340fff8cda5ae910aae26705ad5e8f8a4a0a5db73027b0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-shopping.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109275, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a763d6379e0f5be12261b6f34e8bea01ca490e1724a5fbc5402fce55f1b753fe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-calendar.js", "duplicate_line": 4, "correlation_key": "fp|a763d6379e0f5be12261b6f34e8bea01ca490e1724a5fbc5402fce55f1b753fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-search.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109274, "scanner": "repobility-ai-code-hygiene", "fingerprint": "49f208f83e5d7b4b5c0cce95b7847da4deebe2c43402e22fd6684908be5cfcfb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-db.js", "duplicate_line": 1, "correlation_key": "fp|49f208f83e5d7b4b5c0cce95b7847da4deebe2c43402e22fd6684908be5cfcfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-oidc.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5e62a6f4e4a063bfa5b3265d80c528086910374ded9be73238fdaebb081cb8d6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-calendar.js", "duplicate_line": 4, "correlation_key": "fp|5e62a6f4e4a063bfa5b3265d80c528086910374ded9be73238fdaebb081cb8d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-notes-contacts-budget.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "badf4f4620b63fefe592227f20f9bf114fb3455f207d7cdf1c950a06623f2ae3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-calendar.js", "duplicate_line": 4, "correlation_key": "fp|badf4f4620b63fefe592227f20f9bf114fb3455f207d7cdf1c950a06623f2ae3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-multi-assignment.js"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec82114739a7791faf1fc8447e35046d1da904cdd68eecc78b122d2d137bc21d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-calendar.js", "duplicate_line": 4, "correlation_key": "fp|ec82114739a7791faf1fc8447e35046d1da904cdd68eecc78b122d2d137bc21d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-meals.js"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109270, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ab9e092c245f87d577fd9208f704e21268a69a6762779180f0c0c4c23096d48", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-installer-i18n.js", "duplicate_line": 61, "correlation_key": "fp|3ab9e092c245f87d577fd9208f704e21268a69a6762779180f0c0c4c23096d48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-installer-static.js"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "91c4ad9ae3cec6b58d5fb3603d4ebc1b3666a4bd53d292870db636a37193dd32", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "test/test-installer-i18n.js", "duplicate_line": 60, "correlation_key": "fp|91c4ad9ae3cec6b58d5fb3603d4ebc1b3666a4bd53d292870db636a37193dd32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-installer-prereq.js"}, "region": {"startLine": 113}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f24c4ee6f157b3c408943bd30247d5e452ee2358c0487be2a011e7c9e38f838", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/routes/preferences.js", "duplicate_line": 35, "correlation_key": "fp|4f24c4ee6f157b3c408943bd30247d5e452ee2358c0487be2a011e7c9e38f838"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/modules.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8a13d79578a4c6615a511fcfcd9e3e04c9c850f596127fc6942ab4550a521df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/routes/preferences.js", "duplicate_line": 35, "correlation_key": "fp|f8a13d79578a4c6615a511fcfcd9e3e04c9c850f596127fc6942ab4550a521df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/google-calendar.js"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b11b9cf6d01553160c6583bd6f65019b890c95d4da223554272252fab3b71e5f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/services/apple-calendar.js", "duplicate_line": 22, "correlation_key": "fp|b11b9cf6d01553160c6583bd6f65019b890c95d4da223554272252fab3b71e5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/google-calendar.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3206ad4132cb12a7128763cc8116333217e81aa97918d2f36bdd0c058c291713", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/services/apple-calendar.js", "duplicate_line": 6, "correlation_key": "fp|3206ad4132cb12a7128763cc8116333217e81aa97918d2f36bdd0c058c291713"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/caldav-sync.js"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "edfa6d4ba28732beafb73bd01cb1d75968d80e7662e5299ce5e6d02b247099f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/routes/preferences.js", "duplicate_line": 35, "correlation_key": "fp|edfa6d4ba28732beafb73bd01cb1d75968d80e7662e5299ce5e6d02b247099f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/apple-calendar.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 109263, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e98182b5fea9f7ab0fabde6ddead87fa74cdd75554eed5d1f90fb8a16ea89062", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/pages/login.js", "duplicate_line": 7, "correlation_key": "fp|e98182b5fea9f7ab0fabde6ddead87fa74cdd75554eed5d1f90fb8a16ea89062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pages/setup.js"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 109262, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fd3f1ce84bc6d7385e0ef18d21272193d1bd56fdc3dc2bb3c99033c201f9add2", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "backup", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|fd3f1ce84bc6d7385e0ef18d21272193d1bd56fdc3dc2bb3c99033c201f9add2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/restore-backup.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 109359, "scanner": "repobility-threat-engine", "fingerprint": "91a822b978039eedaf5b91a13800c74e2af378d11d22010b3aaeb76a51cc330d", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|91a822b978039eedaf5b91a13800c74e2af378d11d22010b3aaeb76a51cc330d"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 109355, "scanner": "repobility-threat-engine", "fingerprint": "338be4c46645cb32c2d674faa90014b773ef8f24f945e413c4d876c4b116eb14", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.error('Error: password must be at least 8 characters long.')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|setup.js|9|console.error error: password must be at least 8 characters long."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.js"}, "region": {"startLine": 97}}}]}, {"ruleId": "SEC135", "level": "none", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 109348, "scanner": "repobility-threat-engine", "fingerprint": "b25ee310249da2ffc6da99e224bbd8d1769f7974ef7e6622c105e71bd7dd26fa", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b25ee310249da2ffc6da99e224bbd8d1769f7974ef7e6622c105e71bd7dd26fa"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 109342, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 109335, "scanner": "repobility-threat-engine", "fingerprint": "e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|e7174d71aa23c14419f9144792a6ba116afcec3004f64b82de4dbf54fc9e1921"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 109331, "scanner": "repobility-threat-engine", "fingerprint": "2500149d17200b02dc944a728685cd05b846401834f302a875dfa03eb5435cda", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2500149d17200b02dc944a728685cd05b846401834f302a875dfa03eb5435cda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "setup.js"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 109330, "scanner": "repobility-threat-engine", "fingerprint": "a625d43b73ee444fb87f98736919e20664c694ea614bee68a9c980d410e73fe2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a625d43b73ee444fb87f98736919e20664c694ea614bee68a9c980d410e73fe2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/reminders.js"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 109329, "scanner": "repobility-threat-engine", "fingerprint": "e72d68872a721e605bc44dd8dc5fcc225688e811d4e48ab3ccd59c113f115f3f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e72d68872a721e605bc44dd8dc5fcc225688e811d4e48ab3ccd59c113f115f3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/nav-icons.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 109328, "scanner": "repobility-threat-engine", "fingerprint": "616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|616a737d019ae97f53e0426cdc95b2538ef7f9404ddcccfa97846cbdfe3982a9", "aggregated_count": 5}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 109327, "scanner": "repobility-threat-engine", "fingerprint": "400a8d5c5d0fbff4edf32557dbc2fbb75e0e292e60ba3e574148bd93b4f04f5a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|400a8d5c5d0fbff4edf32557dbc2fbb75e0e292e60ba3e574148bd93b4f04f5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/generate-icons.js"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 109326, "scanner": "repobility-threat-engine", "fingerprint": "63e63d5f10faafa4c16ad358fd0648d619c4ce9da9fc49ade1afb71c18864735", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|63e63d5f10faafa4c16ad358fd0648d619c4ce9da9fc49ade1afb71c18864735"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sw-register.js"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 109325, "scanner": "repobility-threat-engine", "fingerprint": "1014919b93f92442534b3f7231dc9bfc1410c45566f392cffdecc8482626d12c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1014919b93f92442534b3f7231dc9bfc1410c45566f392cffdecc8482626d12c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/screenshots/build-unraid-composites.mjs"}, "region": {"startLine": 105}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:listId/items."}, "properties": {"repobilityId": 109381, "scanner": "repobility-access-control", "fingerprint": "0d651c23604e3798883c97affc8ea412743b23fdcd0f36047bae287494099800", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:listId/items", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/shopping.js|371|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 371}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /:listId."}, "properties": {"repobilityId": 109380, "scanner": "repobility-access-control", "fingerprint": "acfb6ac8b650a4421c49eaaa8a6bc6d02d8885b18b09723cbc75132d749c03b9", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:listId", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/shopping.js|351|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 351}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /:listId."}, "properties": {"repobilityId": 109379, "scanner": "repobility-access-control", "fingerprint": "83bee791b26abf4e79a0cd29f276101f25c732abe53db4d2770537cd4cb3d775", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:listId", "method": "PUT", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/shopping.js|325|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 325}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /items/:itemId."}, "properties": {"repobilityId": 109378, "scanner": "repobility-access-control", "fingerprint": "91f4fbd8ad02643ee6cfeb486b0e6f9a5834b32c77f65881389fa42c58dffec0", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/items/:itemId", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/shopping.js|256|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 256}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /items/:itemId."}, "properties": {"repobilityId": 109377, "scanner": "repobility-access-control", "fingerprint": "015da98e873ba250069cc89af61eebd2a78a93537806e0448eddb140cc537f92", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/items/:itemId", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/shopping.js|215|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 215}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /categories/:catId."}, "properties": {"repobilityId": 109376, "scanner": "repobility-access-control", "fingerprint": "d7d4855329ee0ecd0a5b436830c9ec4506e1c7eb55fe1e150ec4af4e5391cad3", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/categories/:catId", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/shopping.js|128|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 128}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PUT /categories/:catId."}, "properties": {"repobilityId": 109375, "scanner": "repobility-access-control", "fingerprint": "0e302507154ba610fadbdf6d011decd72355ecd3f64da107d9db5e77375b4944", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/categories/:catId", "method": "PUT", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|server/routes/shopping.js|87|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /decay-tasks/:taskId."}, "properties": {"repobilityId": 109374, "scanner": "repobility-access-control", "fingerprint": "dcb135cd2df76f3e79e76d919ce123c3f24f53c42a999d59ccc38c2b5bf115c0", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/decay-tasks/:taskId", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|997|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 997}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /decay-tasks/:taskId/complete."}, "properties": {"repobilityId": 109373, "scanner": "repobility-access-control", "fingerprint": "f3e79d58759b07977cde19d1c99e903295c438bf085709af7470647f521018c5", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/decay-tasks/:taskId/complete", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|981|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 981}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: PATCH /decay-tasks/:taskId."}, "properties": {"repobilityId": 109372, "scanner": "repobility-access-control", "fingerprint": "b6f85ec61cb87ac0a821c8b05f158dd29d1c9d93cf071071af659000d649415a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/decay-tasks/:taskId", "method": "PATCH", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|951|cwe-639", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 951}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 109354, "scanner": "repobility-threat-engine", "fingerprint": "105533c1360b60d211d11e343caf7426414ae15600c21d7b655674eb3df95442", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((t) => `\"${t.replace(/\"/g, '\"\"')}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|105533c1360b60d211d11e343caf7426414ae15600c21d7b655674eb3df95442"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/search.js"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 109353, "scanner": "repobility-threat-engine", "fingerprint": "d22b414c73d753b1ea7f948aae74e37719cf088676971e75ec24dc7c324b3ce9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(str", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d22b414c73d753b1ea7f948aae74e37719cf088676971e75ec24dc7c324b3ce9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/installer/i18n-mini.js"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 109352, "scanner": "repobility-threat-engine", "fingerprint": "c11402975cc928faea113f90b4e0049c1a6dda4dcc05d48d3964ccaf6ab3b503", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(unfolded", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c11402975cc928faea113f90b4e0049c1a6dda4dcc05d48d3964ccaf6ab3b503"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/ics-parser.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 109347, "scanner": "repobility-threat-engine", "fingerprint": "c1ebaf0f4436c20f38f1c7e538dc08b61155bd5ccf429fe6a00c49a43edf0be2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/', (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c1ebaf0f4436c20f38f1c7e538dc08b61155bd5ccf429fe6a00c49a43edf0be2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/notes.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 109346, "scanner": "repobility-threat-engine", "fingerprint": "3b9701f88b842daa455ccf38590b2d0e24fe4efcae1ea8046b09fa657a32c4a0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/accounts', async (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3b9701f88b842daa455ccf38590b2d0e24fe4efcae1ea8046b09fa657a32c4a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/cardav.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC135", "level": "error", "message": {"text": "[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we see in AI-generated SaaS code: the AI builds the route, builds the handler, and forgets to wire the auth check that the rest of the codebase uses. CWE-862 (missing authorization). High-severity because the route is fully functional, just unprotected \u2014 attackers can call it directly."}, "properties": {"repobilityId": 109345, "scanner": "repobility-threat-engine", "fingerprint": "8fcf038ecde044af74bb1ff335684a8a694dc88bf880163734a94a7427822071", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "router.post('/', (req, res) => {", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC135", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8fcf038ecde044af74bb1ff335684a8a694dc88bf880163734a94a7427822071"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/birthdays.js"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC036", "level": "error", "message": {"text": "[SEC036] HTTP Header Injection / CRLF Injection: Setting an HTTP response header from user input without stripping CRLF lets attackers inject extra headers (Set-Cookie, etc.) or split the response. Real CVEs: CVE-2017-15193 (Mahara), CVE-2019-11358 (Django), CVE-2020-26116 (Python http.client). CWE-93/113."}, "properties": {"repobilityId": 109343, "scanner": "repobility-threat-engine", "fingerprint": "b9af385bfbfda8738382484dcaca99cb5b9444bb382bc01ced4dc460a8cd4bf0", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "res.setHeader('X-CSRF-Token', req", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC036", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|server/middleware/csrf.js|48|sec036"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/middleware/csrf.js"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 109341, "scanner": "repobility-threat-engine", "fingerprint": "cacb179e48778e36409818031ad39a5730df4af6be81be2d1c8a904aa2da4847", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(i", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cacb179e48778e36409818031ad39a5730df4af6be81be2d1c8a904aa2da4847"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/modules.js"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 109340, "scanner": "repobility-threat-engine", "fingerprint": "6a46c9ea052e9855094d1b86805d4af25333666b3811a0fec9daefb97da1b831", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a46c9ea052e9855094d1b86805d4af25333666b3811a0fec9daefb97da1b831"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/services/ics-subscription.js"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 109339, "scanner": "repobility-threat-engine", "fingerprint": "50df611b828284d6eb0a2e0aaf504e9f9fc9699830023cc4b1978af9446e577d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|50df611b828284d6eb0a2e0aaf504e9f9fc9699830023cc4b1978af9446e577d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sw.js"}, "region": {"startLine": 188}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 109338, "scanner": "repobility-threat-engine", "fingerprint": "22e25e614dbbbc06412c59be044d29ea66c716d474b1834ae67d7a84038180a8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cache.delete(k);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|22e25e614dbbbc06412c59be044d29ea66c716d474b1834ae67d7a84038180a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/weather.js"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 109337, "scanner": "repobility-threat-engine", "fingerprint": "b4175278ae2ab5afd91075a36e918dd02b5cae702729808ca84bedad891d9793", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b4175278ae2ab5afd91075a36e918dd02b5cae702729808ca84bedad891d9793"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sw.js"}, "region": {"startLine": 137}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 109336, "scanner": "repobility-threat-engine", "fingerprint": "aa780945c6de0a972af1c77536f42deb3e0220575ab5af02d4c12b1f19b0b9d5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_shownIds.delete(id);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|aa780945c6de0a972af1c77536f42deb3e0220575ab5af02d4c12b1f19b0b9d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/reminders.js"}, "region": {"startLine": 210}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 109318, "scanner": "repobility-supply-chain", "fingerprint": "8a273330b08a2fad509b455b7b4c5473abbb207f53f82dbe3c5dfdbc87ce9912", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a273330b08a2fad509b455b7b4c5473abbb207f53f82dbe3c5dfdbc87ce9912"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/truenas-publish.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 109317, "scanner": "repobility-supply-chain", "fingerprint": "0cccdd061a0e56451c31c5d7bde5e8629da1102fcd21a5a0eafa04d2659d4314", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cccdd061a0e56451c31c5d7bde5e8629da1102fcd21a5a0eafa04d2659d4314"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/truenas-publish.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 109316, "scanner": "repobility-supply-chain", "fingerprint": "1727b0784f2cec8d54f1671c129699f168c1e7e41bde8b143f49331dfea1b5eb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1727b0784f2cec8d54f1671c129699f168c1e7e41bde8b143f49331dfea1b5eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/truenas-publish.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `anthropics/claude-code-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 109315, "scanner": "repobility-supply-chain", "fingerprint": "4b6ee0aae6da4a53e262db45ab5605fa522c8e1899a5f365d90ee13d83d9fa25", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4b6ee0aae6da4a53e262db45ab5605fa522c8e1899a5f365d90ee13d83d9fa25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 109314, "scanner": "repobility-supply-chain", "fingerprint": "14e02bcf926b0da5d4a2677501979f74c3e7e9e84eccdd57f90d35b6d88bf96d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|14e02bcf926b0da5d4a2677501979f74c3e7e9e84eccdd57f90d35b6d88bf96d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-node` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 109313, "scanner": "repobility-supply-chain", "fingerprint": "06b606f75a95ed5377e85b8c604f197847b68b696a7f647fd0c35ed513b0b5a0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06b606f75a95ed5377e85b8c604f197847b68b696a7f647fd0c35ed513b0b5a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 109312, "scanner": "repobility-supply-chain", "fingerprint": "e52506f2fa86d9159986f75fd7462e1b15fb48ce586e09cb6b77013b1ee63384", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e52506f2fa86d9159986f75fd7462e1b15fb48ce586e09cb6b77013b1ee63384"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 109311, "scanner": "repobility-supply-chain", "fingerprint": "467d4545826cfa59a415b5564475d8bf04f2e53713481c14f1b303eec5648e3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|467d4545826cfa59a415b5564475d8bf04f2e53713481c14f1b303eec5648e3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-publish.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `anthropics/claude-code-action` pinned to mutable ref `@v1`"}, "properties": {"repobilityId": 109309, "scanner": "repobility-supply-chain", "fingerprint": "3e6feb5b8e19c82973332ebdda1787299151368b61fd824203ca5903cad58cd5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3e6feb5b8e19c82973332ebdda1787299151368b61fd824203ca5903cad58cd5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 109308, "scanner": "repobility-supply-chain", "fingerprint": "9f7af3380e4e5e59926fbcc8e6eb2845163d02b7657b9d81b9447201b902e4c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f7af3380e4e5e59926fbcc8e6eb2845163d02b7657b9d81b9447201b902e4c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-slim` not pinned by digest"}, "properties": {"repobilityId": 109307, "scanner": "repobility-supply-chain", "fingerprint": "31e49a68c9186547a08779beb748e94a3eed7ecfe1a73045cf0fb027260a89a6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31e49a68c9186547a08779beb748e94a3eed7ecfe1a73045cf0fb027260a89a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `node:22-slim` not pinned by digest"}, "properties": {"repobilityId": 109306, "scanner": "repobility-supply-chain", "fingerprint": "fcc4a4c4c5e55a5f749c659a5f994ebac80a0550f3875ee3302e705d306c40fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fcc4a4c4c5e55a5f749c659a5f994ebac80a0550f3875ee3302e705d306c40fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /:listId/items/checked has no auth"}, "properties": {"repobilityId": 109305, "scanner": "repobility-route-auth", "fingerprint": "95e856f587965305f5026b57c4ae7a6df17bb464fe702a9e748b8c26c55e8f83", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|95e856f587965305f5026b57c4ae7a6df17bb464fe702a9e748b8c26c55e8f83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 440}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /:listId/items has no auth"}, "properties": {"repobilityId": 109304, "scanner": "repobility-route-auth", "fingerprint": "d2be627960c96b464970866ed98c8ae3d4dda2bb202188614d821e7e2c35b0f0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|d2be627960c96b464970866ed98c8ae3d4dda2bb202188614d821e7e2c35b0f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 403}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /:listId has no auth"}, "properties": {"repobilityId": 109303, "scanner": "repobility-route-auth", "fingerprint": "69e590b07814a0730c92110dca87c451d96f7fd5c80736a2fe71bfd428164b21", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|69e590b07814a0730c92110dca87c451d96f7fd5c80736a2fe71bfd428164b21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 351}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /:listId has no auth"}, "properties": {"repobilityId": 109302, "scanner": "repobility-route-auth", "fingerprint": "cdc25f93feddfa3021d429a6cf6a1ccb31d344a9fc7eedcde059e12d2b56d535", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cdc25f93feddfa3021d429a6cf6a1ccb31d344a9fc7eedcde059e12d2b56d535"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 325}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST / has no auth"}, "properties": {"repobilityId": 109301, "scanner": "repobility-route-auth", "fingerprint": "76bb5a6101c64e4df3306eb4f6d21f75ed22bd0a7e95c2494b8ed5d335cd137c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|76bb5a6101c64e4df3306eb4f6d21f75ed22bd0a7e95c2494b8ed5d335cd137c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 300}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /items/:itemId has no auth"}, "properties": {"repobilityId": 109300, "scanner": "repobility-route-auth", "fingerprint": "89c93d4f8cade62c4d8a40769cd2f20d5cb35ac9b0b07865d1b4b16889d7e562", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|89c93d4f8cade62c4d8a40769cd2f20d5cb35ac9b0b07865d1b4b16889d7e562"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PATCH /items/:itemId has no auth"}, "properties": {"repobilityId": 109299, "scanner": "repobility-route-auth", "fingerprint": "b44aaad785ea79d9c8f23469bfb6ab6a05d74b630f07b4b7025ce76cf8d94c94", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b44aaad785ea79d9c8f23469bfb6ab6a05d74b630f07b4b7025ce76cf8d94c94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 215}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PATCH /categories/reorder has no auth"}, "properties": {"repobilityId": 109298, "scanner": "repobility-route-auth", "fingerprint": "85b146f18fa304f18b82ab3fcc51d300b752bbe6b9f456355278872aa1fca398", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|85b146f18fa304f18b82ab3fcc51d300b752bbe6b9f456355278872aa1fca398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 167}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /categories/:catId has no auth"}, "properties": {"repobilityId": 109297, "scanner": "repobility-route-auth", "fingerprint": "228726870e8f0d0281427fe46e5047e32a07ee795a9e974f9b6c5388bc30aa7c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|228726870e8f0d0281427fe46e5047e32a07ee795a9e974f9b6c5388bc30aa7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /categories/:catId has no auth"}, "properties": {"repobilityId": 109296, "scanner": "repobility-route-auth", "fingerprint": "74e2edd625f35159c8350c60c6a95dbb350e51fd0761818d0d82709c00184365", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|74e2edd625f35159c8350c60c6a95dbb350e51fd0761818d0d82709c00184365"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /categories has no auth"}, "properties": {"repobilityId": 109295, "scanner": "repobility-route-auth", "fingerprint": "150a552fed8a51e1df8b5fa403d69c34a3c6f4458b23ab39a2b561070d0f9bdb", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|150a552fed8a51e1df8b5fa403d69c34a3c6f4458b23ab39a2b561070d0f9bdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/shopping.js"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /maintenance-log has no auth"}, "properties": {"repobilityId": 109294, "scanner": "repobility-route-auth", "fingerprint": "e15919e1878ef3d7e8a28ce7b0bf90a00863ddbaec8a063a59c82c235f08dd46", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e15919e1878ef3d7e8a28ce7b0bf90a00863ddbaec8a063a59c82c235f08dd46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 1052}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /supply-requests has no auth"}, "properties": {"repobilityId": 109293, "scanner": "repobility-route-auth", "fingerprint": "2d5cbb609785b33839510e8d8fbf5f43592ad25612b05bc7f8c7923e22c47e86", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2d5cbb609785b33839510e8d8fbf5f43592ad25612b05bc7f8c7923e22c47e86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 1010}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /decay-tasks/:taskId has no auth"}, "properties": {"repobilityId": 109292, "scanner": "repobility-route-auth", "fingerprint": "4c2583ebc3e47a0a383d2516d0ce7639027b84567ca7e1a7ba412c9b660a22c9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4c2583ebc3e47a0a383d2516d0ce7639027b84567ca7e1a7ba412c9b660a22c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 997}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /decay-tasks/:taskId/complete has no auth"}, "properties": {"repobilityId": 109291, "scanner": "repobility-route-auth", "fingerprint": "bd695fd081f4d506ae236d0043a80fbc5cfaddfdd4d27b74f72833c292557bd7", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|bd695fd081f4d506ae236d0043a80fbc5cfaddfdd4d27b74f72833c292557bd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 981}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PATCH /decay-tasks/:taskId has no auth"}, "properties": {"repobilityId": 109290, "scanner": "repobility-route-auth", "fingerprint": "b4b53d6a434987d3a30430670f1d50decc7b8793f76361346784bfb2907b6346", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b4b53d6a434987d3a30430670f1d50decc7b8793f76361346784bfb2907b6346"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 951}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /decay-tasks has no auth"}, "properties": {"repobilityId": 109289, "scanner": "repobility-route-auth", "fingerprint": "6ffa1158666fbe1dcf3e9955d0989ebc265d2dfe206a2e500c79bd5ab4d16565", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6ffa1158666fbe1dcf3e9955d0989ebc265d2dfe206a2e500c79bd5ab4d16565"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 927}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /work-sessions/check-out has no auth"}, "properties": {"repobilityId": 109288, "scanner": "repobility-route-auth", "fingerprint": "97134d5b4e7c80941881139be46e7c258d5aca8e1000b38410889387e8909614", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|97134d5b4e7c80941881139be46e7c258d5aca8e1000b38410889387e8909614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 869}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express DELETE /visits/:id has no auth"}, "properties": {"repobilityId": 109287, "scanner": "repobility-route-auth", "fingerprint": "727b040f20f84cec2d658ead4fc1235b1f4fe0fadf8c45c67eace91c5f24b787", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|727b040f20f84cec2d658ead4fc1235b1f4fe0fadf8c45c67eace91c5f24b787"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 852}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /visits/:id/pay has no auth"}, "properties": {"repobilityId": 109286, "scanner": "repobility-route-auth", "fingerprint": "eb4fa2cabfa4ad72043736c6153ab05fb2a9901238c5fe954f238618e0a74f1b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|eb4fa2cabfa4ad72043736c6153ab05fb2a9901238c5fe954f238618e0a74f1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 831}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express PUT /visits/:id has no auth"}, "properties": {"repobilityId": 109285, "scanner": "repobility-route-auth", "fingerprint": "42aa0af959a8591bec363c64bc302ee262d5d737d7114b86b237baa86562ced0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|42aa0af959a8591bec363c64bc302ee262d5d737d7114b86b237baa86562ced0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 763}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /work-sessions/check-in has no auth"}, "properties": {"repobilityId": 109284, "scanner": "repobility-route-auth", "fingerprint": "90dc9b38002e00bae9f7a0e08763c18b7e308ee9e5e426aafe0a3e97fb2a2f7f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|90dc9b38002e00bae9f7a0e08763c18b7e308ee9e5e426aafe0a3e97fb2a2f7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 678}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /worker has no auth"}, "properties": {"repobilityId": 109283, "scanner": "repobility-route-auth", "fingerprint": "e31160f839f07c1bcbe63289c3496075c2e52fd1740b5f0c3c84e824d85cdc1b", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e31160f839f07c1bcbe63289c3496075c2e52fd1740b5f0c3c84e824d85cdc1b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/routes/housekeeping.js"}, "region": {"startLine": 499}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /setup has no auth"}, "properties": {"repobilityId": 109282, "scanner": "repobility-route-auth", "fingerprint": "e24cec0877a25575c18a137b03431cce5090f3e755a74f743f79632f96bc07ea", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|e24cec0877a25575c18a137b03431cce5090f3e755a74f743f79632f96bc07ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 645}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "Express POST /login has no auth"}, "properties": {"repobilityId": 109281, "scanner": "repobility-route-auth", "fingerprint": "cc32c9a7d478cf1893baf8fb20ed990ab3f06e5dcb6a9b970ccbaeb5f3d20596", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|cc32c9a7d478cf1893baf8fb20ed990ab3f06e5dcb6a9b970ccbaeb5f3d20596"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/auth.js"}, "region": {"startLine": 460}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 109369, "scanner": "gitleaks", "fingerprint": "9a48f6ef62f528d44d2610d76c0ea20266b76c5828ca089a090fc577a351118d", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "token = '<redacted>'", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|test/test-api.js|10|token redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "test/test-api.js"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 109358, "scanner": "repobility-threat-engine", "fingerprint": "b04d00f92c22dda6d67de1471121a9d5214f057b3dc1592c638be16fdcc1e98a", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (3.9 bits) \u2014 likely real secret", "evidence": {"match": "password=\"<redacted> (min 8 chars):\"", "reason": "High entropy value (3.9 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|5|password redacted min 8 chars :"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/installer/locales/cli/en.sh"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 109357, "scanner": "repobility-threat-engine", "fingerprint": "02ada4eaefb9047970ae934cf0e7ee0883f600b90c059deafe42686020b9d69b", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.3 bits) \u2014 likely real secret", "evidence": {"match": "password=\"<redacted> (mind. 8 Zeichen):\"", "reason": "High entropy value (4.3 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|5|password redacted mind. 8 zeichen :"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/installer/locales/cli/de.sh"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 109356, "scanner": "repobility-threat-engine", "fingerprint": "b083fd404f501327a4cc42b3bd327d0ac0ad1292442e4db669833a31b3436d4f", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.1 bits) \u2014 likely real secret", "evidence": {"match": "password=\"<redacted> (min. 8 znak\u016f):\"", "reason": "High entropy value (4.1 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|5|password redacted min. 8 znak :"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/installer/locales/cli/cs.sh"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CLAUDE_CODE_OAUTH_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 109310, "scanner": "repobility-supply-chain", "fingerprint": "5a5d2d089f5dc640eb9bdaee08f132798e8f269a463024d60349a25a1d042bb8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a5d2d089f5dc640eb9bdaee08f132798e8f269a463024d60349a25a1d042bb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-code-review.yml"}, "region": {"startLine": 38}}}]}]}]}