{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `mailpit` image has no explicit tag", "shortDescription": {"text": "Compose service `mailpit` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `devcontainer` image uses the latest tag", "shortDescription": {"text": "Compose service `devcontainer` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC130", "name": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resemble", "shortDescription": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh en"}, "fullDescription": {"text": "Verify the import resolves to a real, maintained package: check pypi.org / npmjs.com directly. If the package doesn't exist, the AI invented it \u2014 find the real package the AI was thinking of and swap. Pin all deps to known-good versions and require a registry allowlist in CI."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED057", "name": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolve", "shortDescription": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 2 more): Same pattern found in 2 additional files. Review", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 65 more): Same pattern found in 65 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 65 more): Same pattern found in 65 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 44 more): Same pattern found in 44 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build ti", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production ima"}, "fullDescription": {"text": "Replace with: `FROM node:24-bookworm@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY` on a `pull_request` trigger: This workflow triggers ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }` lets a "}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED015", "name": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection.", "shortDescription": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/710"}, "properties": {"repository": "freeCodeCamp/freeCodeCamp", "repoUrl": "https://github.com/freeCodeCamp/freeCodeCamp", "branch": "main"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 57215, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 57214, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `mailpit` image has no explicit tag"}, "properties": {"repobilityId": 57207, "scanner": "repobility-docker", "fingerprint": "9f10f4d4beb3bbd825deabd0635aabaa44a0d89150e4f676807bce7e963fc8f0", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "axllent/mailpit", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9f10f4d4beb3bbd825deabd0635aabaa44a0d89150e4f676807bce7e963fc8f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 57206, "scanner": "repobility-docker", "fingerprint": "a10942327c1131a05c0502e4018e7759fdba893dbf6083452335d96dc3720607", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "setup", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a10942327c1131a05c0502e4018e7759fdba893dbf6083452335d96dc3720607"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 57203, "scanner": "repobility-docker", "fingerprint": "2126e3ea5d484e5ecf877da58e576bd440ba43ab5a8842a31125c8325891b8f1", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "setup", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2126e3ea5d484e5ecf877da58e576bd440ba43ab5a8842a31125c8325891b8f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `devcontainer` image uses the latest tag"}, "properties": {"repobilityId": 57201, "scanner": "repobility-docker", "fingerprint": "06ca6ae8582027f082572c79ab8c3742faf29500dff435761579bdef6c20b6c5", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "ghcr.io/freecodecamp/devcontainer:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|06ca6ae8582027f082572c79ab8c3742faf29500dff435761579bdef6c20b6c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 57165, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5980d9655673213f5090b308b2577b66a3d16925298ee66a31cd4968dbd9dfdd", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "optimized", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "client/src/components/search/searchBar/search-bar.tsx", "correlation_key": "fp|5980d9655673213f5090b308b2577b66a3d16925298ee66a31cd4968dbd9dfdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/search/searchBar/search-bar-optimized.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 57144, "scanner": "repobility-threat-engine", "fingerprint": "f7b563a96be249d9f04b3ac2be9598aca1e6ebd755fc08c42b386d28916829ea", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|11|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/challenge-parser/parser/plugins/add-frontmatter.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 57143, "scanner": "repobility-threat-engine", "fingerprint": "a5bdfb29166abc0ed34b12c00de6b366ff17cfa79d1202ce8f13075e57da607f", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|14|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/challenge-linter/src/index.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 57142, "scanner": "repobility-threat-engine", "fingerprint": "220a5066a34983b782d27a608b96357add0b8dae2ddeb77450cbf8c1e7aa055a", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|54|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/tools/download-trending.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 57132, "scanner": "repobility-threat-engine", "fingerprint": "048b340f27eab6df60ae70604e2144505f790d12da7c756507590405be9a1cc4", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new Function(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|25|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "curriculum/src/file-handler.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 57131, "scanner": "repobility-threat-engine", "fingerprint": "1953927c978e6dfb54328f96f9a6cc75368b84061c83fe9ea3f0248e53dc7e29", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/fill-in-the-blank/parse-blanks.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 57130, "scanner": "repobility-threat-engine", "fingerprint": "e4aae2610c5e7d6f6c18ecad6ee59a323eade3b43c8c75dea0261f5e73cb1ab0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|121|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/classic/mobile-layout.tsx"}, "region": {"startLine": 121}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 57128, "scanner": "repobility-threat-engine", "fingerprint": "8301905728b56e4c8bde5a4191cc3da8da6cfc2bd773c9f06ddafbffecf7e4be", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(onaUrl, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|36|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/codeally/ona-instructions.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 57127, "scanner": "repobility-threat-engine", "fingerprint": "2fb8369c19c89e4315652a809e580c343e183e41064a7c6c1cbe23694fb644e8", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(codespacesUrl, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|31|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/codeally/codespaces-instructions.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 57126, "scanner": "repobility-threat-engine", "fingerprint": "e63e4dbbec92d480f27238ff5328fcec465177f9950308918d3aa08c916a3200", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(`${searchUrl}?query=${encodeURIComponent(value)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|27|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/search/searchBar/search-bar-optimized.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC130", "level": "warning", "message": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh environments, and (2) supply-chain attackers publish typosquat packages targeting exactly these AI-hallucinated names, so installing succeeds and ships malware ('slopsquatting'). CWE-1357 (dependency on an unmaintained / unverified component). CVE-2024-class sup"}, "properties": {"repobilityId": 57123, "scanner": "repobility-threat-engine", "fingerprint": "a626c097b1600ee89ee463b87663003c81ed016f6ffbfb6670664bff56a2e3bf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import reactT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC130", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a626c097b1600ee89ee463b87663003c81ed016f6ffbfb6670664bff56a2e3bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/client-plugins/browser-scripts/modules/typescript-compiler.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "SEC130", "level": "warning", "message": {"text": "[SEC130] Hallucinated package name \u2014 looks like a real package but isn't: Import of a package name that closely resembles a popular one but isn't published \u2014 a classic AI hallucination. Two risks: (1) the code crashes on install in fresh environments, and (2) supply-chain attackers publish typosquat packages targeting exactly these AI-hallucinated names, so installing succeeds and ships malware ('slopsquatting'). CWE-1357 (dependency on an unmaintained / unverified component). CVE-2024-class sup"}, "properties": {"repobilityId": 57122, "scanner": "repobility-threat-engine", "fingerprint": "ce5f59d119f1b8dde46505c8209e383c37af7e5be16fc8090f9c220afbbe5e41", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "import ReactT", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC130", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce5f59d119f1b8dde46505c8209e383c37af7e5be16fc8090f9c220afbbe5e41"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/profile/components/heat-map.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 57213, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 57212, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 57211, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 57210, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 57209, "scanner": "repobility-docker", "fingerprint": "2fa6165103511d3f12cd97de20406f5fd22acf0272b995810965cd31c34770a3", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "mailpit", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2fa6165103511d3f12cd97de20406f5fd22acf0272b995810965cd31c34770a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 57208, "scanner": "repobility-docker", "fingerprint": "2945ab20908857175c4f19f24b4e73496f7ac6857fa410f53ec49900a94c9d1a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "mailpit", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2945ab20908857175c4f19f24b4e73496f7ac6857fa410f53ec49900a94c9d1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 57200, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": ["id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 57199, "scanner": "repobility-docker", "fingerprint": "670f6ef008a42edc7e53e46a989dd0a9c90016f744a03e589b74069d43425b53", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|670f6ef008a42edc7e53e46a989dd0a9c90016f744a03e589b74069d43425b53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/api/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 57198, "scanner": "repobility-docker", "fingerprint": "2f066487defc2336a062cade8a87c7b445e23e9e98ae0046221f8db35d7262db", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|2f066487defc2336a062cade8a87c7b445e23e9e98ae0046221f8db35d7262db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/api/Dockerfile"}, "region": {"startLine": 35}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 57197, "scanner": "repobility-docker", "fingerprint": "666be8b9058971d32d4c366cac0c86e0b199ea4c9d57b49dfa83d69ab1e6abb1", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|666be8b9058971d32d4c366cac0c86e0b199ea4c9d57b49dfa83d69ab1e6abb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/api/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 57196, "scanner": "repobility-docker", "fingerprint": "d20fc486a1b74ba009bb65d30f58487ff7bda903b1582fef99ec6247628d29ca", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|d20fc486a1b74ba009bb65d30f58487ff7bda903b1582fef99ec6247628d29ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/api/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57195, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84d9ea45bc6969ac7748fc030d8f43eff90626d941eac922ee2a4921368152f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a2-english.tsx", "duplicate_line": 57, "correlation_key": "fp|84d9ea45bc6969ac7748fc030d8f43eff90626d941eac922ee2a4921368152f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/b1-english.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57194, "scanner": "repobility-ai-code-hygiene", "fingerprint": "57e1b89cacb31a7f159a8af217e9d5f3309e1f2e2ca5d5a6dcef7c00fa9c30b3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a1-spanish.tsx", "duplicate_line": 44, "correlation_key": "fp|57e1b89cacb31a7f159a8af217e9d5f3309e1f2e2ca5d5a6dcef7c00fa9c30b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/b1-english.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57193, "scanner": "repobility-ai-code-hygiene", "fingerprint": "24db0298a62231c85c855191660a46b563103a87fb84ef45f8c7aef430c0842f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a1-chinese.tsx", "duplicate_line": 3, "correlation_key": "fp|24db0298a62231c85c855191660a46b563103a87fb84ef45f8c7aef430c0842f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/b1-english.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57192, "scanner": "repobility-ai-code-hygiene", "fingerprint": "49b46c97ea5c1119464c6986018298ea3e12f92e7f3f5013b886f50e163cdfc2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a1-spanish.tsx", "duplicate_line": 44, "correlation_key": "fp|49b46c97ea5c1119464c6986018298ea3e12f92e7f3f5013b886f50e163cdfc2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a2-spanish.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57191, "scanner": "repobility-ai-code-hygiene", "fingerprint": "949845fb1fc6f8a5e8af0b9bb77d5f237df9035cca0a3f3402c9c4cf925b1bab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a2-chinese.tsx", "duplicate_line": 31, "correlation_key": "fp|949845fb1fc6f8a5e8af0b9bb77d5f237df9035cca0a3f3402c9c4cf925b1bab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a2-spanish.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57190, "scanner": "repobility-ai-code-hygiene", "fingerprint": "515110d0a99200eb4c0496c65f3a268f87b845aa290d56442eea175f5c743652", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a1-chinese.tsx", "duplicate_line": 3, "correlation_key": "fp|515110d0a99200eb4c0496c65f3a268f87b845aa290d56442eea175f5c743652"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a2-spanish.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57189, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed9fe963861963ffc15f8474607cf4290ffcb6039ea1f53ee305f4544ea74a23", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a1-spanish.tsx", "duplicate_line": 44, "correlation_key": "fp|ed9fe963861963ffc15f8474607cf4290ffcb6039ea1f53ee305f4544ea74a23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a2-english.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57188, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc6770ec927bde1888eb4b023b4529f96fa764a74b7d0a60d2d2b1b416f63e3c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a2-chinese.tsx", "duplicate_line": 31, "correlation_key": "fp|fc6770ec927bde1888eb4b023b4529f96fa764a74b7d0a60d2d2b1b416f63e3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a2-english.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57187, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69f178ca633e48dbe5202ea57359384f782a558514155fd18cf3e098bd2f4a22", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a1-chinese.tsx", "duplicate_line": 3, "correlation_key": "fp|69f178ca633e48dbe5202ea57359384f782a558514155fd18cf3e098bd2f4a22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a2-english.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57186, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2631593658a6b0e35f26fa837be16648db2787b55fdc43381e1186ecec0497f0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a1-chinese.tsx", "duplicate_line": 3, "correlation_key": "fp|2631593658a6b0e35f26fa837be16648db2787b55fdc43381e1186ecec0497f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a2-chinese.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57185, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dba14b0b0d5a7fe21132a4dbf867747ce2dabcabedf2de576aa6822730c6bceb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "client/src/assets/icons/a1-chinese.tsx", "duplicate_line": 3, "correlation_key": "fp|dba14b0b0d5a7fe21132a4dbf867747ce2dabcabedf2de576aa6822730c6bceb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a1-spanish.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57184, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f9e2496f6a07db09cf306dce0f5673f876e86cdd753802fd0e51dfb05f3d5c90", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/plugins/__fixtures__/user.ts", "duplicate_line": 72, "correlation_key": "fp|f9e2496f6a07db09cf306dce0f5673f876e86cdd753802fd0e51dfb05f3d5c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/utils/create-user.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57183, "scanner": "repobility-ai-code-hygiene", "fingerprint": "30d9a4111e7953678fddf29cf56b137a393636eede1cbfc8cc6fee6643e75d4f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/certificate/certificate-verify.ts", "duplicate_line": 27, "correlation_key": "fp|30d9a4111e7953678fddf29cf56b137a393636eede1cbfc8cc6fee6643e75d4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/users/get-public-profile.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57182, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe9b51f6945d9658e16815617d733a2f87165532b0d91aac9b6844ceab8f5005", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/user/get-session-user.ts", "duplicate_line": 19, "correlation_key": "fp|fe9b51f6945d9658e16815617d733a2f87165532b0d91aac9b6844ceab8f5005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/users/get-public-profile.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57181, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da4e7f47ff51e9cecead56b5a15608f70d096e066b3eae69626928a996bb5922", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/certificate/certificate-verify.ts", "duplicate_line": 27, "correlation_key": "fp|da4e7f47ff51e9cecead56b5a15608f70d096e066b3eae69626928a996bb5922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/user/get-session-user.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57180, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3d223e42017d0572a4a5d3eb92cb7e227d539f7fb4aad6f0d37dda5e89bc17dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|3d223e42017d0572a4a5d3eb92cb7e227d539f7fb4aad6f0d37dda5e89bc17dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-socrates.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57179, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce09e5b13c83eabae8b88f339ff37d65fa0137541ec89b1547dc178eaf32fbd3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|ce09e5b13c83eabae8b88f339ff37d65fa0137541ec89b1547dc178eaf32fbd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-theme.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57178, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8089b5bc885faa7cfbf87f9b4af7a5396773f8df4a84a770e23f9e99474d63b4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|8089b5bc885faa7cfbf87f9b4af7a5396773f8df4a84a770e23f9e99474d63b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-socials.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57177, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d9c428fe7a6bc6a545da8548382f5240355f9d4a574bbc3f504e9af0e59bf8c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|9d9c428fe7a6bc6a545da8548382f5240355f9d4a574bbc3f504e9af0e59bf8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-quincy-email.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57176, "scanner": "repobility-ai-code-hygiene", "fingerprint": "af6e89a035292b0b13e2d2ae272d46b80249dd10946d6fb3db3de14120d4a7ce", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|af6e89a035292b0b13e2d2ae272d46b80249dd10946d6fb3db3de14120d4a7ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-profile-ui.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57175, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1f32c27556209f1574c83a53aaa0b13d7835ddec2d9833032e2ccccff05cc58", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-privacy-terms.ts", "duplicate_line": 5, "correlation_key": "fp|a1f32c27556209f1574c83a53aaa0b13d7835ddec2d9833032e2ccccff05cc58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-profile-ui.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57174, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c094bb2e33e63f4581c802dff1d159e20de275855cd60de837483f6103a51221", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|c094bb2e33e63f4581c802dff1d159e20de275855cd60de837483f6103a51221"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-privacy-terms.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57173, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2842fad73a368869b516c6d0c612dcffd8f2635b03d751cb41e8df75cded3932", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|2842fad73a368869b516c6d0c612dcffd8f2635b03d751cb41e8df75cded3932"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-portfolio.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57172, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d3a8b88bdd20571d4ac134209b4dc9f3f6f73a03d6da1f9fc9fbac04f53c6acf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|d3a8b88bdd20571d4ac134209b4dc9f3f6f73a03d6da1f9fc9fbac04f53c6acf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-keyboard-shortcuts.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57171, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bafeb53fe8aed3b347f60719e8ea668f2179360fb4fb3996a3d88e305d0f43e7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|bafeb53fe8aed3b347f60719e8ea668f2179360fb4fb3996a3d88e305d0f43e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-honesty.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57170, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9bf3766b0374e7deea2fea387ce2352c7c78976dbe0a570a44e7c328cc662020", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/settings/update-my-about.ts", "duplicate_line": 12, "correlation_key": "fp|9bf3766b0374e7deea2fea387ce2352c7c78976dbe0a570a44e7c328cc662020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/settings/update-my-experience.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57169, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b6aab98344f7d8ae32bb0b2fde487535903e145d9162e870fd8dae36279d307a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/challenge/backend-challenge-completed.ts", "duplicate_line": 12, "correlation_key": "fp|b6aab98344f7d8ae32bb0b2fde487535903e145d9162e870fd8dae36279d307a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/challenge/modern-challenge-completed.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57168, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eab95df3978e3336eaf846a917d698f855bca89b82a6a67fd077c56ccd9339ff", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/challenge/exam-challenge-completed.ts", "duplicate_line": 28, "correlation_key": "fp|eab95df3978e3336eaf846a917d698f855bca89b82a6a67fd077c56ccd9339ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/challenge/exam.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57167, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1be5a9ad29ede3b81066ea6672cc9442745c92ae0af9f26fffc5b296ec29cda", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/schemas/challenge/backend-challenge-completed.ts", "duplicate_line": 12, "correlation_key": "fp|a1be5a9ad29ede3b81066ea6672cc9442745c92ae0af9f26fffc5b296ec29cda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/schemas/challenge/daily-coding-challenge-completed.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 57166, "scanner": "repobility-ai-code-hygiene", "fingerprint": "72e5926ccf07e825d6c983dc86f23b70bb9e1cb4185504e378e77670bfa201ca", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/src/routes/protected/certificate.ts", "duplicate_line": 302, "correlation_key": "fp|72e5926ccf07e825d6c983dc86f23b70bb9e1cb4185504e378e77670bfa201ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/routes/protected/user.ts"}, "region": {"startLine": 647}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 57164, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f85285163ba0150c2b288376838dc78f4a1deb5be1456edb4f861d0fd32c9c7", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|3f85285163ba0150c2b288376838dc78f4a1deb5be1456edb4f861d0fd32c9c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/plugins/cookie-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 57138, "scanner": "repobility-threat-engine", "fingerprint": "b3c232a726f8bb459b25f689ebdb4fccbd3309b4547b0a80947c5129ffd46476", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = i", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|106|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/utils/index.ts"}, "region": {"startLine": 106}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 57137, "scanner": "repobility-threat-engine", "fingerprint": "ff1d44ab0c644abb48fca8fb5333f0b89042c5011be6c93123c9e7a12d73a376", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|113|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/components/preview-portal.tsx"}, "region": {"startLine": 113}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 57106, "scanner": "repobility-threat-engine", "fingerprint": "59d022286ae31addd9139cb70a2786b93ae3a9db6d0d6801cf1b195f11fbd3ff", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'../../i18n/locales/' + clientLocale + '/motivation.json'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|59d022286ae31addd9139cb70a2786b93ae3a9db6d0d6801cf1b195f11fbd3ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/utils/get-words.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 57105, "scanner": "repobility-threat-engine", "fingerprint": "d0aa5c5984bf56c050194cfe99fd33e41209936ca3b5e34e760ff7de929004c9", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'./locales/' + clientLocale + '/translations.json'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d0aa5c5984bf56c050194cfe99fd33e41209936ca3b5e34e760ff7de929004c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/i18n/config.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 57104, "scanner": "repobility-threat-engine", "fingerprint": "d24ac66e397ea745f6d477cc49b4e9919ef2f1633ff143e14b21b2f4b254963c", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'|script\\\\b' +\n      tagBody +\n      '>[\\\\s\\\\S]*?</script\\\\s*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d24ac66e397ea745f6d477cc49b4e9919ef2f1633ff143e14b21b2f4b254963c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/utils/validation.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED057", "level": "none", "message": {"text": "[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness \u2014 left for later but never resolved."}, "properties": {"repobilityId": 57163, "scanner": "repobility-threat-engine", "fingerprint": "4353a39e060d76eab304ef60fff7fcb90d865710e3964844990a508c08743b7c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "todo-bomb", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348035+00:00", "triaged_in_corpus": 10, "observations_count": 255662, "ai_coder_pattern_id": 4}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4353a39e060d76eab304ef60fff7fcb90d865710e3964844990a508c08743b7c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/client-plugins/browser-scripts/modules/typescript-compiler.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED018", "level": "none", "message": {"text": "[MINED018] Unsafe Deserialization Pickle (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 57157, "scanner": "repobility-threat-engine", "fingerprint": "82c68ae0651087d065734edd98447ffaaa4b2082877ff524102395a395fbf806", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|82c68ae0651087d065734edd98447ffaaa4b2082877ff524102395a395fbf806", "aggregated_count": 2}}}, {"ruleId": "SEC116", "level": "none", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 57153, "scanner": "repobility-threat-engine", "fingerprint": "b6e65f54706655fa02d6ca7160eccf3bfc3cd9417aec04a602738d7c9aa2e531", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b6e65f54706655fa02d6ca7160eccf3bfc3cd9417aec04a602738d7c9aa2e531"}}}, {"ruleId": "SEC079", "level": "none", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 57149, "scanner": "repobility-threat-engine", "fingerprint": "20aa4732690a5f51ee84069dfc7e9bafd5c2407b9da444b5b12f17a8afe53918", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|20aa4732690a5f51ee84069dfc7e9bafd5c2407b9da444b5b12f17a8afe53918"}}}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 57145, "scanner": "repobility-threat-engine", "fingerprint": "be2661587707cce223851f35575b809f74d2cf91013a38d77faf261cb6e5960e", "category": "deserialization", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|be2661587707cce223851f35575b809f74d2cf91013a38d77faf261cb6e5960e"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 57133, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 57129, "scanner": "repobility-threat-engine", "fingerprint": "0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 57121, "scanner": "repobility-threat-engine", "fingerprint": "bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|bbcb733a3fba112627e4b7e830cefd1595cf5645df4ccaa9a211a5c5e0592cd4", "aggregated_count": 6}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 57120, "scanner": "repobility-threat-engine", "fingerprint": "4f96d693cedbc500ac844f493f2e6f94b5948dccf0ca16f3a6ebbbf788793c3e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f96d693cedbc500ac844f493f2e6f94b5948dccf0ca16f3a6ebbbf788793c3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/landing/components/faq.tsx"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 57119, "scanner": "repobility-threat-engine", "fingerprint": "5a48625b7ea6d07a0760cf5fe1b4d772cdd42cf61a710233b30550b282284a89", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a48625b7ea6d07a0760cf5fe1b4d772cdd42cf61a710233b30550b282284a89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/landing/components/benefits.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 57118, "scanner": "repobility-threat-engine", "fingerprint": "ae6db1907e3e05c61459580b6480df0e69f6999e4b08457a28451618b3ef8e60", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ae6db1907e3e05c61459580b6480df0e69f6999e4b08457a28451618b3ef8e60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/catalog-item.tsx"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 57117, "scanner": "repobility-threat-engine", "fingerprint": "dd55ce3a9f3f9694552e8f4756890f4a32ddb6947f938d3ce6625eb2c930cc47", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dd55ce3a9f3f9694552e8f4756890f4a32ddb6947f938d3ce6625eb2c930cc47", "aggregated_count": 7}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 57116, "scanner": "repobility-threat-engine", "fingerprint": "13897d4515e179682cfa10c53dc65fa6b90df41bcda823522e7d54941cec8983", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13897d4515e179682cfa10c53dc65fa6b90df41bcda823522e7d54941cec8983"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/html.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 57115, "scanner": "repobility-threat-engine", "fingerprint": "83cd7e75d57aac0c68d2c25a6330fc6986d6c542f2b611aae963284f00f68205", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|83cd7e75d57aac0c68d2c25a6330fc6986d6c542f2b611aae963284f00f68205"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/helpers/skeleton-sprite.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 57114, "scanner": "repobility-threat-engine", "fingerprint": "0e4ae3a0a36cb80c4c31e92b3f34345f086c6af2bfa63178957e045df2ba4c37", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e4ae3a0a36cb80c4c31e92b3f34345f086c6af2bfa63178957e045df2ba4c37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/SolutionViewer/solution-viewer.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 65 more): Same pattern found in 65 additional files. Review if needed."}, "properties": {"repobilityId": 57113, "scanner": "repobility-threat-engine", "fingerprint": "55862c4b5a2519a830c571d749aae272d12fd733895998732a5f3dbfa0555a8d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 65 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|55862c4b5a2519a830c571d749aae272d12fd733895998732a5f3dbfa0555a8d", "aggregated_count": 65}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 57112, "scanner": "repobility-threat-engine", "fingerprint": "baf67ce1bb1c7e938653f416607dc3a7bdd53891078cbadb870509c1491f397c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|baf67ce1bb1c7e938653f416607dc3a7bdd53891078cbadb870509c1491f397c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a2-chinese.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 57111, "scanner": "repobility-threat-engine", "fingerprint": "1aff0f359b6a7a41017be79bd5b882b677c6436fca690f21b75284477cfd1447", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1aff0f359b6a7a41017be79bd5b882b677c6436fca690f21b75284477cfd1447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a1-spanish.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 57110, "scanner": "repobility-threat-engine", "fingerprint": "90c53a022e8247d2f8d081da1cd507a37234e856a6ab4615f993489b1e069f0a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|90c53a022e8247d2f8d081da1cd507a37234e856a6ab4615f993489b1e069f0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/assets/icons/a1-chinese.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 57109, "scanner": "repobility-threat-engine", "fingerprint": "51597ff0766a5f0230a11129ef061aa82fa8ba549721c40e064fc1236f6e887d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|51597ff0766a5f0230a11129ef061aa82fa8ba549721c40e064fc1236f6e887d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/profile/components/heat-map.tsx"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 57108, "scanner": "repobility-threat-engine", "fingerprint": "ea686597ae10abedb22064519a76c899841c86669ff938b9be4073d190ab22ea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ea686597ae10abedb22064519a76c899841c86669ff938b9be4073d190ab22ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/gatsby-node.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 57107, "scanner": "repobility-threat-engine", "fingerprint": "0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0a93f04a20a5455ea1d5583f76d6ecf7b16d6848f2b1fa2649ea0d3237642e97"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 44 more): Same pattern found in 44 additional files. Review if needed."}, "properties": {"repobilityId": 57103, "scanner": "repobility-threat-engine", "fingerprint": "882f36a32267bcfd0615f9d9c3164ec06f34f74d22dfd677e67677135ad230d5", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 44 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|882f36a32267bcfd0615f9d9c3164ec06f34f74d22dfd677e67677135ad230d5", "aggregated_count": 44}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 57102, "scanner": "repobility-threat-engine", "fingerprint": "32d4b35c90d8512256e5d5baa813e1912b764a52843899840e2df02605bdd100", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32d4b35c90d8512256e5d5baa813e1912b764a52843899840e2df02605bdd100"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/i18n/schema-validation.ts"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 57101, "scanner": "repobility-threat-engine", "fingerprint": "cdb0a4c6a14ffd349e61b21e57fbd1f48a34ec3ae454efb293996c34882e6e61", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cdb0a4c6a14ffd349e61b21e57fbd1f48a34ec3ae454efb293996c34882e6e61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/utils/redirection.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 57100, "scanner": "repobility-threat-engine", "fingerprint": "d9b65b756f6ad9de2da8c466361895f1ae3dd41eed7ca36af6255c174a43d99d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9b65b756f6ad9de2da8c466361895f1ae3dd41eed7ca36af6255c174a43d99d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/utils/env.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 57099, "scanner": "repobility-threat-engine", "fingerprint": "01be47d0509f6d0dfd67a399c7e36d3729ce821269e80c54848abb86a7ce824e", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|7|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/utils/growthbook-cookie.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 57098, "scanner": "repobility-threat-engine", "fingerprint": "cf7087a41303e93546b88d6d2fbaba55b7bb061f5681b129e566cc4ffc8d392b", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|62|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/utils/create-user.ts"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 57096, "scanner": "repobility-threat-engine", "fingerprint": "7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|7a4b0f5540cad034a1707c0e9f6ef94d621d463e55602684599877ea4071a670"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 57092, "scanner": "repobility-threat-engine", "fingerprint": "54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54788ada82aa489e875938ab58165ca4b1594eca53726465dbeab561ecdd5864"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 57088, "scanner": "repobility-threat-engine", "fingerprint": "a491f24d9771ecffd42029f4539747d6a60d6c0b4b5acaa8537864d6ea66020b", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.trace('Adding CSRF token to response')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|api/src/plugins/csrf.ts|3|logger.trace adding csrf token to response"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/plugins/csrf.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 57086, "scanner": "repobility-threat-engine", "fingerprint": "2556975feaef201acb56a0abc6a103ae1f97228ad1dd56834ed276d241b675e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2556975feaef201acb56a0abc6a103ae1f97228ad1dd56834ed276d241b675e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/vitest.utils.ts"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 57085, "scanner": "repobility-threat-engine", "fingerprint": "3389d42c963c3e2d328ad942e146ca01288c4441e6370c333725a404050ee87f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3389d42c963c3e2d328ad942e146ca01288c4441e6370c333725a404050ee87f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/plugins/auth-dev.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 57084, "scanner": "repobility-threat-engine", "fingerprint": "53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|53d0d55f0ce05bf89db2db74d074a0af0d2e2f55e7abb4083cb8de8c90e785f6", "aggregated_count": 7}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 57083, "scanner": "repobility-threat-engine", "fingerprint": "6fbade581e51b489e5e14c3bc5f70810131c5dfe9fc35c8ffc6ccc1a0255a18d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6fbade581e51b489e5e14c3bc5f70810131c5dfe9fc35c8ffc6ccc1a0255a18d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/routes/protected/socrates.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 57082, "scanner": "repobility-threat-engine", "fingerprint": "6c19f96ff130c2caacfc9edd5757782512f4b7ce07790a24a9b095f489c4f3bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c19f96ff130c2caacfc9edd5757782512f4b7ce07790a24a9b095f489c4f3bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/routes/protected/donate.ts"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 57081, "scanner": "repobility-threat-engine", "fingerprint": "411b215e750e5395c3bee70e59f75406e7613cd547120957f680e2ee8d4e2911", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|411b215e750e5395c3bee70e59f75406e7613cd547120957f680e2ee8d4e2911"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/__fixtures__/exam-environment-exam.ts"}, "region": {"startLine": 206}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 57219, "scanner": "repobility-supply-chain", "fingerprint": "ed34dfa820fd81655de73ae8615f18426b4e0a58ef88ba214afec28914ecc758", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed34dfa820fd81655de73ae8615f18426b4e0a58ef88ba214afec28914ecc758"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/api/Dockerfile"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 57218, "scanner": "repobility-supply-chain", "fingerprint": "5326b881cf21719f5d54704ce30110fae4de6a16ba12ba148268bfa62a5730b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5326b881cf21719f5d54704ce30110fae4de6a16ba12ba148268bfa62a5730b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/api/Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 57217, "scanner": "repobility-supply-chain", "fingerprint": "25aba3c537fbf474824e666a5c576d278de52bebbef5db62f4345db06c40b6ef", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25aba3c537fbf474824e666a5c576d278de52bebbef5db62f4345db06c40b6ef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/api/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-bookworm` not pinned by digest: `FROM node:24-bookworm` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 57216, "scanner": "repobility-supply-chain", "fingerprint": "b8edaddb5b4f7fd201efe278fc176975fc46dd83c4f15b5a019da8754278b7ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b8edaddb5b4f7fd201efe278fc176975fc46dd83c4f15b5a019da8754278b7ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/devcontainer/Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 57205, "scanner": "repobility-docker", "fingerprint": "5b07e7fdd7a68c8e25a3ac134cd36ef790b40516bd53ff46292fbe56497e9c23", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "setup", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|5b07e7fdd7a68c8e25a3ac134cd36ef790b40516bd53ff46292fbe56497e9c23", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 57204, "scanner": "repobility-docker", "fingerprint": "ec8654a16969f9b7c5c487982ee150658d1b8132f6f6dbc8d62a4b4f55ca4c2a", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "27017:27017", "target": "27017", "host_ip": "", "published": "27017"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|ec8654a16969f9b7c5c487982ee150658d1b8132f6f6dbc8d62a4b4f55ca4c2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKC013", "level": "error", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 57202, "scanner": "repobility-docker", "fingerprint": "f53deb4a853d3a74fa9ab1830546dff1bd7aa56a64caaed5458aa4f38a07f5c3", "category": "docker", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "setup", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|f53deb4a853d3a74fa9ab1830546dff1bd7aa56a64caaed5458aa4f38a07f5c3", "expected_targets": ["/data/configdb", "/data/db"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 57162, "scanner": "repobility-threat-engine", "fingerprint": "6d0bc39ace67827628d6851b5957aa13078df21aae3d8eb5cfd6a21b3559f5b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(regexBefore", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6d0bc39ace67827628d6851b5957aa13078df21aae3d8eb5cfd6a21b3559f5b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/challenge-parser/translation-parser/index.js"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 57161, "scanner": "repobility-threat-engine", "fingerprint": "b37fb6fe19a8b5b805a173d3b409bda0fc02189fba9dd653766c40ff0d624597", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(\n  `${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b37fb6fe19a8b5b805a173d3b409bda0fc02189fba9dd653766c40ff0d624597"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/challenge-parser/parser/plugins/utils/i18n-stringify.js"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 57160, "scanner": "repobility-threat-engine", "fingerprint": "85973cc6ea63a882f8f9ce4842d955f05729917d2533a6bcf4fbfec564684563", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|85973cc6ea63a882f8f9ce4842d955f05729917d2533a6bcf4fbfec564684563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/client-plugins/gatsby-source-challenges/create-challenge-nodes.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 57159, "scanner": "repobility-threat-engine", "fingerprint": "2a46123da78d1af70673c31e388d7d1ca95e270a7266e8efb44fda64d9499b4b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a46123da78d1af70673c31e388d7d1ca95e270a7266e8efb44fda64d9499b4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/shared/src/config/constants.ts"}, "region": {"startLine": 302}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 57140, "scanner": "repobility-threat-engine", "fingerprint": "b2b2f98d9335afc97d90cd1f47ac3e8841d3b9ff9416e44cdacff6e18a11e892", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b2b2f98d9335afc97d90cd1f47ac3e8841d3b9ff9416e44cdacff6e18a11e892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/utils/build.ts"}, "region": {"startLine": 63}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 57139, "scanner": "repobility-threat-engine", "fingerprint": "0139e0e00b6f222712f299bfec7043b4ea81d2564961a3811d318b20f2847b76", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([key, val]) => `${key}: ${transformEditorLink(val)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0139e0e00b6f222712f299bfec7043b4ea81d2564961a3811d318b20f2847b76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/redux/create-question-epic.js"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 57136, "scanner": "repobility-threat-engine", "fingerprint": "263a9955a50d1b54bdd89ed34e2738a554880ddd9d69639ae7a20df94286b38e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|263a9955a50d1b54bdd89ed34e2738a554880ddd9d69639ae7a20df94286b38e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/challenge-parser/parser/plugins/utils/i18n-stringify.js"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 57135, "scanner": "repobility-threat-engine", "fingerprint": "047a0f12646d5cf36283e70dbac1e0b88655707b6e7ddd9f38249bccafa12519", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|047a0f12646d5cf36283e70dbac1e0b88655707b6e7ddd9f38249bccafa12519"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/fill-in-the-blank/parse-blanks.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 57134, "scanner": "repobility-threat-engine", "fingerprint": "8e954c9dd02904b66ea396d63aa27a3ad6ae571b5251391d6da71501571b0f4f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(navigator", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8e954c9dd02904b66ea396d63aa27a3ad6ae571b5251391d6da71501571b0f4f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/classic/mobile-layout.tsx"}, "region": {"startLine": 121}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 57125, "scanner": "repobility-threat-engine", "fingerprint": "12759c1d7c357e190c868666eb14e8588d77729d5afdba5a10afeca974d96cd6", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open('POST', '/python/intercept-input", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|92|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/client-plugins/browser-scripts/python-worker.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 57124, "scanner": "repobility-threat-engine", "fingerprint": "94c6e4e4e25a2ff5139227bdbd3af52e037ebe467efd0988373f5d7319b83a4d", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(`${searchUrl}?query", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|27|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/components/search/searchBar/search-bar-optimized.tsx"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 57097, "scanner": "repobility-threat-engine", "fingerprint": "c07911fb2981e50d1dddf405f2f774fa49c82a1378f2d25fb20a0f72e44de569", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c07911fb2981e50d1dddf405f2f774fa49c82a1378f2d25fb20a0f72e44de569"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/plugins/mail-providers/nodemailer.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 57095, "scanner": "repobility-threat-engine", "fingerprint": "ce06e84131c27345a542b97fcce6bb1a492b8a24d5bc419c9f24a055511a3700", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce06e84131c27345a542b97fcce6bb1a492b8a24d5bc419c9f24a055511a3700"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/templates/Challenges/utils/use-detect-os.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 57094, "scanner": "repobility-threat-engine", "fingerprint": "11239ff87f6c5433862be0f7611028dc260d7f4891e6efd4441784403d7bc227", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|11239ff87f6c5433862be0f7611028dc260d7f4891e6efd4441784403d7bc227"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/redux/failed-updates-epic.js"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 57093, "scanner": "repobility-threat-engine", "fingerprint": "b51c2669d0e1d0173081f78ec6fa414292770fe19045e012f9194f84d19c98e8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "gb.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b51c2669d0e1d0173081f78ec6fa414292770fe19045e012f9194f84d19c98e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/plugins/growth-book.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 57091, "scanner": "repobility-threat-engine", "fingerprint": "55b221502acfdd2a167718d97b52fe472f7edb0b5a174c763623e2a861b20f55", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(h", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|55b221502acfdd2a167718d97b52fe472f7edb0b5a174c763623e2a861b20f55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/utils/normalize.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 57090, "scanner": "repobility-threat-engine", "fingerprint": "564282096b12b824da871ff9332c09a3fb0b524a1de5c566aae22b3a1637f281", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|564282096b12b824da871ff9332c09a3fb0b524a1de5c566aae22b3a1637f281"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/utils/env.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 57089, "scanner": "repobility-threat-engine", "fingerprint": "37d6118a4bd7e418622967118b34a18eb8c694d543d4a161af00846a6222105d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|37d6118a4bd7e418622967118b34a18eb8c694d543d4a161af00846a6222105d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/plugins/auth0.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 57087, "scanner": "repobility-threat-engine", "fingerprint": "14d8a8eb7d8cf4501e06246677bcfa7e51a900038b36d5be43aabd3ae2d34dae", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "logger.error(error, 'Failed to get access token from Auth0')", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|api/src/plugins/auth0.ts|14|logger.error error failed to get access token from auth0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/src/plugins/auth0.ts"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57232, "scanner": "repobility-supply-chain", "fingerprint": "54742f4fd6e29009a21999f67c63e5720ed6f00a144a2c16d91d1fd3db2312c5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|54742f4fd6e29009a21999f67c63e5720ed6f00a144a2c16d91d1fd3db2312c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-playwright.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57231, "scanner": "repobility-supply-chain", "fingerprint": "d1afd5329435cfb4b89bf9bdd0789bd0585b2ba818b351523bf70284882772f5", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1afd5329435cfb4b89bf9bdd0789bd0585b2ba818b351523bf70284882772f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e-playwright.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CAMPERBOT_NO_TRANSLATE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CAMPERBOT_NO_TRANSLATE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57230, "scanner": "repobility-supply-chain", "fingerprint": "7aa7ada7658a762a88a77863e8f5292728ffa31e0aead85f1a4724826de7584a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7aa7ada7658a762a88a77863e8f5292728ffa31e0aead85f1a4724826de7584a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/i18n-validate-prs.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57229, "scanner": "repobility-supply-chain", "fingerprint": "eb9dd95ccfafdde3eb10f9f0795dcbde029befa2a3922c2352fc940b8c47fafd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eb9dd95ccfafdde3eb10f9f0795dcbde029befa2a3922c2352fc940b8c47fafd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 278}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57228, "scanner": "repobility-supply-chain", "fingerprint": "ee3d6d5abdc20e050bf98db6075892b485aca4ff944a498cbe549485cbbf5b93", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee3d6d5abdc20e050bf98db6075892b485aca4ff944a498cbe549485cbbf5b93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 277}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57227, "scanner": "repobility-supply-chain", "fingerprint": "37b976035c79bc488cad73a82d44e4aa3d5a7a1f8d2713b9b68a6f9ba986adea", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37b976035c79bc488cad73a82d44e4aa3d5a7a1f8d2713b9b68a6f9ba986adea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 223}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57226, "scanner": "repobility-supply-chain", "fingerprint": "6db7b5593c410de7c2c85ddf0d2b8dca386e5f52969c9af14f1e72e2cace62e0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6db7b5593c410de7c2c85ddf0d2b8dca386e5f52969c9af14f1e72e2cace62e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57225, "scanner": "repobility-supply-chain", "fingerprint": "1ae854d04a6a9039f3c182761340693844dc6e4a91463d56307fda7481e25d4e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1ae854d04a6a9039f3c182761340693844dc6e4a91463d56307fda7481e25d4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57224, "scanner": "repobility-supply-chain", "fingerprint": "d937674c22135b6ed7fd141b464680dcff9f3a8280dc443ef1f4ef3d8634255f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d937674c22135b6ed7fd141b464680dcff9f3a8280dc443ef1f4ef3d8634255f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57223, "scanner": "repobility-supply-chain", "fingerprint": "95fa9f84a424decd0bc111491f23c1734a148bb032cd4f264e8158aaf5717920", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|95fa9f84a424decd0bc111491f23c1734a148bb032cd4f264e8158aaf5717920"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 127}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57222, "scanner": "repobility-supply-chain", "fingerprint": "0ad8438822d925326a649e368ff7bd366bdd5939e786e78cb39215df36ee5c59", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ad8438822d925326a649e368ff7bd366bdd5939e786e78cb39215df36ee5c59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57221, "scanner": "repobility-supply-chain", "fingerprint": "8fc7cbeac3f201b364dc946bb41363c81927d5921110d40a889b7919abd3b393", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fc7cbeac3f201b364dc946bb41363c81927d5921110d40a889b7919abd3b393"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TURBO_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TURBO_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 57220, "scanner": "repobility-supply-chain", "fingerprint": "f4054e5fe2d5411ffa618733138db7a2acb05aad1e38cdb10f3622a28518baf9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4054e5fe2d5411ffa618733138db7a2acb05aad1e38cdb10f3622a28518baf9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/node.js-tests.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 57158, "scanner": "repobility-threat-engine", "fingerprint": "15e2b474942c80aac498923a8f9a34d2a60c0bc5b16a78312c5844761df09089", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|15e2b474942c80aac498923a8f9a34d2a60c0bc5b16a78312c5844761df09089"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "curriculum/src/file-handler.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 57156, "scanner": "repobility-threat-engine", "fingerprint": "6ef2906d458d079fd46ae30582641ceef6edd490a48a721e945b8089e13687d8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ef2906d458d079fd46ae30582641ceef6edd490a48a721e945b8089e13687d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/challenge-parser/parser/plugins/add-frontmatter.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 57155, "scanner": "repobility-threat-engine", "fingerprint": "386573cb5a6dee25cf74ef3ca2aa0b976e618aad27290eef3f30d9a2ad85ca2c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|386573cb5a6dee25cf74ef3ca2aa0b976e618aad27290eef3f30d9a2ad85ca2c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/challenge-linter/src/index.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 57154, "scanner": "repobility-threat-engine", "fingerprint": "b40992e71da984d7f82ba986258b8a05f05adecd05f8d911f46cd28786bb29b9", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b40992e71da984d7f82ba986258b8a05f05adecd05f8d911f46cd28786bb29b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/tools/download-trending.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 57152, "scanner": "repobility-threat-engine", "fingerprint": "abdeac1ddbd33067f04d2b40ed5c8d30a38e9d5593bbe6802df971fa3059c588", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|11|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/challenge-parser/parser/plugins/add-frontmatter.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 57151, "scanner": "repobility-threat-engine", "fingerprint": "8e27e10ebfa72e962fd920d97b6947aa252c7f18b26fd47ae6e3cd7fb67e7888", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|14|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/challenge-linter/src/index.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 57150, "scanner": "repobility-threat-engine", "fingerprint": "000cf71426b150be4fb3cf92854b65d9f501285203583f2374bd02119ed60fea", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|54|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/tools/download-trending.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 57148, "scanner": "repobility-threat-engine", "fingerprint": "18acccf5731724113dd57a4f8f11c36c7909c43f98d77c2f72dc9688219ac836", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(node.value)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|18acccf5731724113dd57a4f8f11c36c7909c43f98d77c2f72dc9688219ac836"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/challenge-parser/parser/plugins/add-frontmatter.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 57147, "scanner": "repobility-threat-engine", "fingerprint": "f61f962160e609c9e50945fbe50e1166a3a08869401180488a7c3b5921f9879d", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "YAML.load(lintRules)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f61f962160e609c9e50945fbe50e1166a3a08869401180488a7c3b5921f9879d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/challenge-linter/src/index.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 57146, "scanner": "repobility-threat-engine", "fingerprint": "41aef25dcf8214d3a9fedcea1753d9f744ec5f9c8214c23d322fcee445134cab", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(data)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41aef25dcf8214d3a9fedcea1753d9f744ec5f9c8214c23d322fcee445134cab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/tools/download-trending.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 57141, "scanner": "repobility-threat-engine", "fingerprint": "ef638b1a086f079fb7ff3b9a3b54c92d8d24a433366bc5626ce30e5bd3a4c12c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(target", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef638b1a086f079fb7ff3b9a3b54c92d8d24a433366bc5626ce30e5bd3a4c12c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "client/src/utils/get-words.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 57080, "scanner": "repobility-threat-engine", "fingerprint": "ed9f5cb039d6303ff26ebfac2ea3e92683108309a73c0b92fd96b2ca644497fc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ed9f5cb039d6303ff26ebfac2ea3e92683108309a73c0b92fd96b2ca644497fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED015", "level": "error", "message": {"text": "[MINED015] Ruby Eval Call: eval() executes arbitrary code. Code injection."}, "properties": {"repobilityId": 57079, "scanner": "repobility-threat-engine", "fingerprint": "d93888df4070ded0a93722aa358fe9488344612dfcef5ff680d9243e339e0271", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ruby-eval-call", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["ruby"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347933+00:00", "triaged_in_corpus": 20, "observations_count": 85733, "ai_coder_pattern_id": 161}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d93888df4070ded0a93722aa358fe9488344612dfcef5ff680d9243e339e0271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/docker-compose.yml"}, "region": {"startLine": 32}}}]}]}]}