{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `redis-rest` image uses the latest tag", "shortDescription": {"text": "Compose service `redis-rest` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a loopback host port", "shortDescription": {"text": "Database service publishes a loopback host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED042", "name": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk.", "shortDescription": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED049] Print Pii (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 17 more): Same pattern found in 17 additional files. Review if nee", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 42 more): Same pattern found in 42 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED047", "name": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested.", "shortDescription": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 46 more): Same pattern found in 46 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 22 more): Same pattern found in 22 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 30 more): Same pattern found in 30 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. ", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED065] Cors Wildcard (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 104 more): Same pattern found in 104 ad", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 104 more): Same pattern found in 104 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 276 more): Same pattern found in 276 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 276 more): Same pattern found in 276 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 2 more): Same pattern found in 2 additional files. Review i", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images "}, "fullDescription": {"text": "Replace with: `FROM node:22-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED031", "name": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render.", "shortDescription": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in G", "shortDescription": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED127", "name": "[MINED127] Cryptominer signature: `xmrig`: Source contains a known cryptominer signature (`xmrig`). Could be a deliberat", "shortDescription": {"text": "[MINED127] Cryptominer signature: `xmrig`: Source contains a known cryptominer signature (`xmrig`). Could be a deliberate malicious payload, a compromised dependency, or a copy-paste from a tutorial \u2014 but it warrants immediate investigation"}, "fullDescription": {"text": "Verify the file's provenance \u2014 when was it added, by whom, in what PR. Search the repo for related indicators (binary blobs, outbound network calls, base64-encoded shell scripts)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/918"}, "properties": {"repository": "koala73/worldmonitor", "repoUrl": "https://github.com/koala73/worldmonitor", "branch": "main"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 86296, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 86294, "scanner": "repobility-docker", "fingerprint": "a278f5f6894a5f7bf3317150d5c3c03d503266efd574b231587e4513ad07adf3", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis-rest", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|a278f5f6894a5f7bf3317150d5c3c03d503266efd574b231587e4513ad07adf3", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `redis-rest` image uses the latest tag"}, "properties": {"repobilityId": 86292, "scanner": "repobility-docker", "fingerprint": "de6efb08ab12eac01ff24b8afde455b5453505c896ccdca5c9231d238a71b051", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "worldmonitor-redis-rest:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|de6efb08ab12eac01ff24b8afde455b5453505c896ccdca5c9231d238a71b051"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `ais-relay` image uses the latest tag"}, "properties": {"repobilityId": 86288, "scanner": "repobility-docker", "fingerprint": "3c0568104261104b6461443d73c629ab746989df36221d2e4aad1ed4aac24b55", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "worldmonitor-ais-relay:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3c0568104261104b6461443d73c629ab746989df36221d2e4aad1ed4aac24b55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `worldmonitor` image uses the latest tag"}, "properties": {"repobilityId": 86285, "scanner": "repobility-docker", "fingerprint": "962c7358d5ffe21300e48a57bf3a030858385de4ed4df582b94ea44043b213af", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "worldmonitor:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|962c7358d5ffe21300e48a57bf3a030858385de4ed4df582b94ea44043b213af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86284, "scanner": "repobility-docker", "fingerprint": "9c4cbdf21ce65dd2dd7a667bd96226adb75b1637d38cf02989bd112e9c7a83cd", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9c4cbdf21ce65dd2dd7a667bd96226adb75b1637d38cf02989bd112e9c7a83cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.redis-rest"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86283, "scanner": "repobility-docker", "fingerprint": "9317b71042e24253540656b06bff9afdfc7c4d953149aa0f898f9afe7785d719", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "nginx:alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9317b71042e24253540656b06bff9afdfc7c4d953149aa0f898f9afe7785d719"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 86282, "scanner": "repobility-docker", "fingerprint": "29424b5cf00e5beaafd03a3a8cc62e110df159fb36680ac0e88b58f14285cd7b", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 11 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 11, "correlation_key": "fp|29424b5cf00e5beaafd03a3a8cc62e110df159fb36680ac0e88b58f14285cd7b", "dependency_install_line": 14}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 86281, "scanner": "repobility-docker", "fingerprint": "3f631cb8cc1001d6c6854f801d45c18cc63fb1d40da4290b6cd3e6bfa89a34d3", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3f631cb8cc1001d6c6854f801d45c18cc63fb1d40da4290b6cd3e6bfa89a34d3", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86280, "scanner": "repobility-docker", "fingerprint": "8d5f4fef59d452d08bce107aeb6bb5975b2de9658b2d80d2d24c50e2432c974b", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:20-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8d5f4fef59d452d08bce107aeb6bb5975b2de9658b2d80d2d24c50e2432c974b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86279, "scanner": "repobility-docker", "fingerprint": "6fe95278c1ed08f309446a51b2a94dbae6f1677418019e9a3f3992aa0e077dfb", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6fe95278c1ed08f309446a51b2a94dbae6f1677418019e9a3f3992aa0e077dfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.seed-bundle-resilience-validation"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86278, "scanner": "repobility-docker", "fingerprint": "ba6993caa45314c6a6ee45887206be52183db3f000c26c0969767e355895a00f", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|ba6993caa45314c6a6ee45887206be52183db3f000c26c0969767e355895a00f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.seed-bundle-portwatch-port-activity"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86277, "scanner": "repobility-docker", "fingerprint": "c4983394e619ba7b0b2fab0978b9c09d5246f698ae0401690d29f5d8c8aa72fa", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c4983394e619ba7b0b2fab0978b9c09d5246f698ae0401690d29f5d8c8aa72fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.relay"}, "region": {"startLine": 10}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 86276, "scanner": "repobility-docker", "fingerprint": "fed46fd10164f8256b18e7de9cb6cb88a7c3c8ce20d02cb4fa85d6b627e63fd8", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:22-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|fed46fd10164f8256b18e7de9cb6cb88a7c3c8ce20d02cb4fa85d6b627e63fd8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.digest-notifications"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 86274, "scanner": "repobility-docker", "fingerprint": "83b52730d0f73fad25ca7b5c55b6c8fd17426afc1ca8e2f6955a60bdffa45fa2", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|83b52730d0f73fad25ca7b5c55b6c8fd17426afc1ca8e2f6955a60bdffa45fa2", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 20}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 86245, "scanner": "repobility-threat-engine", "fingerprint": "86153c5f9591de51817db17255bd1a11c9fdf9e259302f89e897103af8591e89", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random().toString(36).slice(2)}`;\n  const token = <redacted>", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|86153c5f9591de51817db17255bd1a11c9fdf9e259302f89e897103af8591e89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/widget-sanitizer.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 86241, "scanner": "repobility-threat-engine", "fingerprint": "711d8b5863657bc24667e06f0eef47690bb9a3841007844ac8aa2989dfff0a0a", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(sanitizeUrl(url)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|135|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/TelegramIntelPanel.ts"}, "region": {"startLine": 135}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 86240, "scanner": "repobility-threat-engine", "fingerprint": "5ee8b5d3f420af022e1244c65bb4cd5d494dc709bbd05eccdf4ab97052953132", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(urls.whatsapp, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|157|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/StoryModal.ts"}, "region": {"startLine": 157}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 86239, "scanner": "repobility-threat-engine", "fingerprint": "d48e0467bdc8240fed4805967a51492f019c208acf8c1381afd0fe25e3f1f56c", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://${escapeHtml(emailDomain)}\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|80|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/leads/v1/submit-contact.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86219, "scanner": "repobility-threat-engine", "fingerprint": "a0a62afeb79f228578174cc2f7ba8fe0bcba5798e5ac03a36bd17b8a75361d5e", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|55|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/_content-age-helpers.mjs"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86218, "scanner": "repobility-threat-engine", "fingerprint": "d10632b1702400d4698616585a804bde83d3e247f135a91b981b31317eea2222", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|docker/redis-rest-proxy.mjs|132|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/redis-rest-proxy.mjs"}, "region": {"startLine": 132}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 86217, "scanner": "repobility-threat-engine", "fingerprint": "23e8f7df0f8d180fa6f224919fb3495cc3f14d4adbff83c7677578692d9bb6e9", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|57|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/normalizers/size.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 86205, "scanner": "repobility-threat-engine", "fingerprint": "86fdbfed66bb12fb8699bf6640bd08d2ec292712852c796add9edd50d4c9269b", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|37|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-agent-skills-index.mjs"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 86204, "scanner": "repobility-threat-engine", "fingerprint": "f01e3f50f8e619ca2aa0cdaf1b1d3a876cb7e703e126f8ac36fd853e3290eb1a", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|13|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/config/loader.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 86194, "scanner": "repobility-threat-engine", "fingerprint": "b45d449b35a52f767e9a6305dd90e468d2fac292dfd5547c855a7317f34cbdbb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b45d449b35a52f767e9a6305dd90e468d2fac292dfd5547c855a7317f34cbdbb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/mcp-store.ts"}, "region": {"startLine": 167}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 86193, "scanner": "repobility-threat-engine", "fingerprint": "5a03ebec1fdd5d721312f413b6cd3d953abaf42862523c29e58a2f33725fe91a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5a03ebec1fdd5d721312f413b6cd3d953abaf42862523c29e58a2f33725fe91a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/acquisition/firecrawl.ts"}, "region": {"startLine": 137}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 86183, "scanner": "repobility-threat-engine", "fingerprint": "ce949a38e4952f985ba5e72cd5903c873d0662afbbc833a9612954250d8d6857", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ce949a38e4952f985ba5e72cd5903c873d0662afbbc833a9612954250d8d6857"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/mcp/quota.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 86182, "scanner": "repobility-threat-engine", "fingerprint": "294a148ee96055fd4eda4014fe0c362dd4d2620442e6b5dccfbd20f1f556d684", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch(e){}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|294a148ee96055fd4eda4014fe0c362dd4d2620442e6b5dccfbd20f1f556d684"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/discord/oauth/callback.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 86181, "scanner": "repobility-threat-engine", "fingerprint": "a927a98d4c8d332a4063ecb303de632845c5f84e8b83f37dfea7f40d399d0a8c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a927a98d4c8d332a4063ecb303de632845c5f84e8b83f37dfea7f40d399d0a8c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_sentry-common.js"}, "region": {"startLine": 186}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 86298, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 86295, "scanner": "repobility-docker", "fingerprint": "e743b40778ea769d2d4ebd79b583350c04dd3623650d25f53a539fbd4e8ce64d", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis-rest", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|e743b40778ea769d2d4ebd79b583350c04dd3623650d25f53a539fbd4e8ce64d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "DKC011", "level": "note", "message": {"text": "Database service publishes a loopback host port"}, "properties": {"repobilityId": 86293, "scanner": "repobility-docker", "fingerprint": "fc67e1a0849b6d97810c7cae419dc82a23f9842166fb28c8d60045a7a98ead10", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database-like image publishes only loopback host ports.", "evidence": {"ports": [{"raw": "127.0.0.1:8079:80", "target": "80", "host_ip": "127.0.0.1", "published": "8079"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis-rest", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "loopback", "correlation_key": "fp|fc67e1a0849b6d97810c7cae419dc82a23f9842166fb28c8d60045a7a98ead10"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 86291, "scanner": "repobility-docker", "fingerprint": "a1907b9a7048030ba3d122d5c8456f40a4b2f0983cf0bdf4c89978df9ac7da20", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a1907b9a7048030ba3d122d5c8456f40a4b2f0983cf0bdf4c89978df9ac7da20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 86290, "scanner": "repobility-docker", "fingerprint": "f3e0169f72e598eccabbc3fe625a9f197e957ac9d8916da5a5cc5202c7bf29b5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "ais-relay", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f3e0169f72e598eccabbc3fe625a9f197e957ac9d8916da5a5cc5202c7bf29b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 86289, "scanner": "repobility-docker", "fingerprint": "931258b8c6c1df5feaa5a7ce606d2be07ba2d003cd0fdec00f01f7ec2ad45c01", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "ais-relay", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|931258b8c6c1df5feaa5a7ce606d2be07ba2d003cd0fdec00f01f7ec2ad45c01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 86287, "scanner": "repobility-docker", "fingerprint": "f9ef3fa412c6904c7ab49ce657124cdd953c95a6fc6b3148bbe4af064f246d9b", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "worldmonitor", "dependency": "redis-rest", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|f9ef3fa412c6904c7ab49ce657124cdd953c95a6fc6b3148bbe4af064f246d9b", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 86286, "scanner": "repobility-docker", "fingerprint": "49be23fe4552e6688c61304675387613c3c169d5850d2f1005abb41fb7ae53c0", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "worldmonitor", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|49be23fe4552e6688c61304675387613c3c169d5850d2f1005abb41fb7ae53c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 86275, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb0ec5fd2295e203d0b59e68f0792e8e0d4f0e6de3c0f44e6cb7dbaf2e9df5e3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/worldmonitor/market/v1/list-ai-tokens.ts", "duplicate_line": 14, "correlation_key": "fp|eb0ec5fd2295e203d0b59e68f0792e8e0d4f0e6de3c0f44e6cb7dbaf2e9df5e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/market/v1/list-other-tokens.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6efad17c180988a80441b6c5fdd1514b690d7d494fc80b09883eab2671d016e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/worldmonitor/market/v1/list-ai-tokens.ts", "duplicate_line": 14, "correlation_key": "fp|6efad17c180988a80441b6c5fdd1514b690d7d494fc80b09883eab2671d016e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/market/v1/list-defi-tokens.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bff93d656fcb03ed08491ba59a1d04afb5d24d8b5987bf23699150882170ac99", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convex/payments/subscriptionEmails.ts", "duplicate_line": 138, "correlation_key": "fp|bff93d656fcb03ed08491ba59a1d04afb5d24d8b5987bf23699150882170ac99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/leads/v1/register-interest.ts"}, "region": {"startLine": 127}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86270, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a1bd92f67a75d7a022bad42e7d5c0759bf40f89711dc044d08976ad6f0679c95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/worldmonitor/intelligence/v1/compute-energy-shock.ts", "duplicate_line": 37, "correlation_key": "fp|a1bd92f67a75d7a022bad42e7d5c0759bf40f89711dc044d08976ad6f0679c95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/intelligence/v1/get-country-energy-profile.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86269, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83434c5c97b94e5650b0e9412e49b56033dba4490776ef03ff4383eaf959a85a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/worldmonitor/conflict/v1/get-humanitarian-summary-batch.ts", "duplicate_line": 70, "correlation_key": "fp|83434c5c97b94e5650b0e9412e49b56033dba4490776ef03ff4383eaf959a85a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/conflict/v1/get-humanitarian-summary.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86268, "scanner": "repobility-ai-code-hygiene", "fingerprint": "47e685ef8cee13920e86c696a4407630125c53b59b6df9924e9bb38a86f7f6cf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/_seed-envelope.js", "duplicate_line": 4, "correlation_key": "fp|47e685ef8cee13920e86c696a4407630125c53b59b6df9924e9bb38a86f7f6cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/_shared/seed-envelope.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86267, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0269ebb7a6bf459cff31428d4d5bce8fc162538cca99c1c6fefcaddbc3a5c176", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/_rate-limit.js", "duplicate_line": 7, "correlation_key": "fp|0269ebb7a6bf459cff31428d4d5bce8fc162538cca99c1c6fefcaddbc3a5c176"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/_shared/rate-limit.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86266, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fbc97ead455b5f97fb061116029724bf3a76d353f7680e890964cea04655c9bf", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/bootstrap.js", "duplicate_line": 15, "correlation_key": "fp|fbc97ead455b5f97fb061116029724bf3a76d353f7680e890964cea04655c9bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/_shared/cache-keys.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86265, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cbb000cd1f5860b4fe98faa661ee2d11cc58ed999a2265bcc62ba5d39b0010c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "server/_shared/brief-share-url.ts", "duplicate_line": 18, "correlation_key": "fp|cbb000cd1f5860b4fe98faa661ee2d11cc58ed999a2265bcc62ba5d39b0010c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/_shared/brief-url.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86264, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ccbb9b6bede0eebd14da38508d5b546e921daa8f25bb04012c34a99607d692ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convex/payments/cacheActions.ts", "duplicate_line": 11, "correlation_key": "fp|ccbb9b6bede0eebd14da38508d5b546e921daa8f25bb04012c34a99607d692ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convex/schema.ts"}, "region": {"startLine": 276}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86263, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc390e5285c565126924cac02501ec9f39ff9af00badd3bf42a2ed81be4ff1e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convex/broadcast/audienceWaveExport.ts", "duplicate_line": 87, "correlation_key": "fp|fc390e5285c565126924cac02501ec9f39ff9af00badd3bf42a2ed81be4ff1e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convex/broadcast/backfillCanaryWaveStamps.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86262, "scanner": "repobility-ai-code-hygiene", "fingerprint": "968edc439bd988f7608947a1c70bace3a5ce4ee6a2f582e8f220474d70d2b432", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "convex/broadcast/audienceExport.ts", "duplicate_line": 27, "correlation_key": "fp|968edc439bd988f7608947a1c70bace3a5ce4ee6a2f582e8f220474d70d2b432"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convex/broadcast/audienceWaveExport.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86261, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56997a250642e1331136de47c3984f4ffd5404aad4546e428591013b6aae2890", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/_api-key.js", "duplicate_line": 18, "correlation_key": "fp|56997a250642e1331136de47c3984f4ffd5404aad4546e428591013b6aae2890"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/widget-agent.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86260, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d278351e9e70514f39db871bf8d68c0b17efa13988f1c9e73f792896f8e3250", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/v2/shipping/webhooks/[subscriberId].ts", "duplicate_line": 17, "correlation_key": "fp|8d278351e9e70514f39db871bf8d68c0b17efa13988f1c9e73f792896f8e3250"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/v2/shipping/webhooks/[subscriberId]/[action].ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86259, "scanner": "repobility-ai-code-hygiene", "fingerprint": "683fc58f39b2abd2eee56c467c0642f5161d6434245d9709bf3507cb29d205ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/latest-brief.ts", "duplicate_line": 81, "correlation_key": "fp|683fc58f39b2abd2eee56c467c0642f5161d6434245d9709bf3507cb29d205ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/symbol-search.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86258, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fff5bc2e6c3c8270b8efbce0ae592804c54ecdf6cf2990c1428ba1317e617b8a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/gpsjam.js", "duplicate_line": 42, "correlation_key": "fp|fff5bc2e6c3c8270b8efbce0ae592804c54ecdf6cf2990c1428ba1317e617b8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/supply-chain/hormuz-tracker.js"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86257, "scanner": "repobility-ai-code-hygiene", "fingerprint": "efef3e315c59548e72a2f124249eca8812ced11e69af4dd6103d02338925ecb5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/discord/oauth/start.ts", "duplicate_line": 7, "correlation_key": "fp|efef3e315c59548e72a2f124249eca8812ced11e69af4dd6103d02338925ecb5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/slack/oauth/start.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86256, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d19a76068c1f1105cac2146046652bb61e099a184d8132e25637e343ccc21473", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/discord/oauth/callback.ts", "duplicate_line": 5, "correlation_key": "fp|d19a76068c1f1105cac2146046652bb61e099a184d8132e25637e343ccc21473"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/slack/oauth/callback.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86255, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a2d99674faaa808509889be0d6cdff455456d87a9a1c72e652d6a24bd2e0b1c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/oauth/authorize-pro.ts", "duplicate_line": 37, "correlation_key": "fp|7a2d99674faaa808509889be0d6cdff455456d87a9a1c72e652d6a24bd2e0b1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/oauth/token.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86254, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c866b934ff01d2e15db4a0d513e66e67e47240a1aec457367f86a522b27f09eb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/internal/mcp-grant-mint.ts", "duplicate_line": 39, "correlation_key": "fp|c866b934ff01d2e15db4a0d513e66e67e47240a1aec457367f86a522b27f09eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/oauth/authorize-pro.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86253, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7c32027fd0471c57c21ac54bcd6a870fcf72cbfb7175cff1584c816fc2adb9c9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/invalidate-user-api-key-cache.ts", "duplicate_line": 11, "correlation_key": "fp|7c32027fd0471c57c21ac54bcd6a870fcf72cbfb7175cff1584c816fc2adb9c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/notify.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86252, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ee6cabb6c652fc42cff01793c777bfe56ab6967fe55b01902bd756a9ec3cbef0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/brief/share-url.ts", "duplicate_line": 16, "correlation_key": "fp|ee6cabb6c652fc42cff01793c777bfe56ab6967fe55b01902bd756a9ec3cbef0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/latest-brief.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86251, "scanner": "repobility-ai-code-hygiene", "fingerprint": "546080f9f9ead1f6d976d942a44b502824aa9ec61d1d54d0e330fb9bafad426a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/brief/share-url.ts", "duplicate_line": 21, "correlation_key": "fp|546080f9f9ead1f6d976d942a44b502824aa9ec61d1d54d0e330fb9bafad426a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/invalidate-user-api-key-cache.ts"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86250, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5ff9449d20ded6cc23171534d5f377da6374443b8430cdd59fddfd3c4ebabfb1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/internal/mcp-grant-context.ts", "duplicate_line": 17, "correlation_key": "fp|5ff9449d20ded6cc23171534d5f377da6374443b8430cdd59fddfd3c4ebabfb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/internal/mcp-grant-mint.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86249, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25e79168f30a8d4760ced863487dff29ee44551cfd11b36491e9a3bc450a11e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/create-checkout.ts", "duplicate_line": 1, "correlation_key": "fp|25e79168f30a8d4760ced863487dff29ee44551cfd11b36491e9a3bc450a11e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/customer-portal.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 86248, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39fcfdd18d773d2b6456551688032144d0308ae3a02b7157dd629a2a7fed31d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/brief/[userId]/[issueDate].ts", "duplicate_line": 17, "correlation_key": "fp|39fcfdd18d773d2b6456551688032144d0308ae3a02b7157dd629a2a7fed31d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/brief/public/[hash].ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 86247, "scanner": "repobility-ai-code-hygiene", "fingerprint": "07aad8d0ade0c1fd1637f3b94a11368292632be7abebc9a07216ac28cb712ca9", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "update", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|07aad8d0ade0c1fd1637f3b94a11368292632be7abebc9a07216ac28cb712ca9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/bootstrap/sw-update.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 86246, "scanner": "repobility-ai-code-hygiene", "fingerprint": "31217d105535c0b194fc1e2a13489f3575c4f4833cba8fe6e26d1ff03b4ed8c7", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "rewrite", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|31217d105535c0b194fc1e2a13489f3575c4f4833cba8fe6e26d1ff03b4ed8c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/alias-rewrite.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 86244, "scanner": "repobility-threat-engine", "fingerprint": "512500ad72e42b3b4d4a2d0af89564952a7c6d1f3d6e15882996f584738634c8", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = h", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|src/utils/dom-utils.ts|73|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/utils/dom-utils.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 86242, "scanner": "repobility-threat-engine", "fingerprint": "0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 86238, "scanner": "repobility-threat-engine", "fingerprint": "21ed80a5ddd021c94a20eb62cddc1b0c5075df63c6fe0fac4807d3c18a53bcad", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|21ed80a5ddd021c94a20eb62cddc1b0c5075df63c6fe0fac4807d3c18a53bcad", "aggregated_count": 4}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 86237, "scanner": "repobility-threat-engine", "fingerprint": "5708f60c46407bcdad1566896cbbb3937476a68b3617a2b60d13bace17fab720", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5708f60c46407bcdad1566896cbbb3937476a68b3617a2b60d13bace17fab720"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/leads/v1/submit-contact.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 86236, "scanner": "repobility-threat-engine", "fingerprint": "2a3bcd75f8fc34bffa015645da9648024c6dc56f3ad5dbbc6f90e2287b283dab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2a3bcd75f8fc34bffa015645da9648024c6dc56f3ad5dbbc6f90e2287b283dab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/intelligence/v1/get-country-risk.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 86235, "scanner": "repobility-threat-engine", "fingerprint": "62a01b6657da64ada71e70de40d27a46568cb8a7604fda80c34cb714fc9f0586", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|62a01b6657da64ada71e70de40d27a46568cb8a7604fda80c34cb714fc9f0586"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/error-mapper.ts"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 86234, "scanner": "repobility-threat-engine", "fingerprint": "b58df9499acfd10b1e20b964429ac887f20e8cc016c1011756c8f46ae09a5873", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b58df9499acfd10b1e20b964429ac887f20e8cc016c1011756c8f46ae09a5873", "aggregated_count": 3}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 86233, "scanner": "repobility-threat-engine", "fingerprint": "26c1511fc81499c3ccf4523580ba187df2d05c68e1bf71a006011c3f61d30928", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|26c1511fc81499c3ccf4523580ba187df2d05c68e1bf71a006011c3f61d30928"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/economic/v1/_shared.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 86232, "scanner": "repobility-threat-engine", "fingerprint": "2cb90e3420eb55d1a925f45015b044fec5f928c07e0f7d26f8cbf07500c8a811", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2cb90e3420eb55d1a925f45015b044fec5f928c07e0f7d26f8cbf07500c8a811"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/worldmonitor/aviation/v1/list-aviation-news.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 86231, "scanner": "repobility-threat-engine", "fingerprint": "656ff5651ff1599a239996827c3c7da398cacc2576e7af116549cafb6e275ee4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|656ff5651ff1599a239996827c3c7da398cacc2576e7af116549cafb6e275ee4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "server/_shared/seed-envelope.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 86230, "scanner": "repobility-threat-engine", "fingerprint": "b4d4188c03b189d00c3a17f39be3da3106d96e5e7586059ac0cc4ade2adf3284", "category": "quality", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern '\\.json' detected on same line", "evidence": {"match": "require(join", "reason": "Safe pattern '\\.json' detected on same line", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "fp|b4d4188c03b189d00c3a17f39be3da3106d96e5e7586059ac0cc4ade2adf3284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/shared/geo-extract.mjs"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED042", "level": "none", "message": {"text": "[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr \u2014 memory leak risk."}, "properties": {"repobilityId": 86229, "scanner": "repobility-threat-engine", "fingerprint": "b84dea96e9ec6120dc9c6f7366ef2b936c1791c2058b0c4461a150bca455b4ab", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cpp-new-without-delete", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347996+00:00", "triaged_in_corpus": 12, "observations_count": 4658256, "ai_coder_pattern_id": 134}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b84dea96e9ec6120dc9c6f7366ef2b936c1791c2058b0c4461a150bca455b4ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/resilience-reference-recompute.mts"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 86228, "scanner": "repobility-threat-engine", "fingerprint": "2dbc83d54d7c26536309768fea7244b28f63eb48dd7b78fd5d1771cbe65580c9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2dbc83d54d7c26536309768fea7244b28f63eb48dd7b78fd5d1771cbe65580c9", "aggregated_count": 4}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 86227, "scanner": "repobility-threat-engine", "fingerprint": "c784d344be7888fe39dc383400ffbf589d9539350432f21ab13a45e8e0222097", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c784d344be7888fe39dc383400ffbf589d9539350432f21ab13a45e8e0222097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/seed-internet-outages.mjs"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 86226, "scanner": "repobility-threat-engine", "fingerprint": "b4a5ef2146bb26354328fe0901ed636ced0f1fa80f05a4996b4531383b244485", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b4a5ef2146bb26354328fe0901ed636ced0f1fa80f05a4996b4531383b244485"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/post-pr3487-force-refresh.mjs"}, "region": {"startLine": 72}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 86225, "scanner": "repobility-threat-engine", "fingerprint": "64da2a3a9782abb778bea6f5c41bf3b0e3a9dda4ad626c717c490ff010a2a82b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64da2a3a9782abb778bea6f5c41bf3b0e3a9dda4ad626c717c490ff010a2a82b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/post-pr3427-force-refresh.mjs"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 17 more): Same pattern found in 17 additional files. Review if needed."}, "properties": {"repobilityId": 86224, "scanner": "repobility-threat-engine", "fingerprint": "edb2a9d9a98e363aa8c2f7f14fd7bce9de8bbc1c35f5a3c230b4a8d14e0198fd", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 17 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|edb2a9d9a98e363aa8c2f7f14fd7bce9de8bbc1c35f5a3c230b4a8d14e0198fd"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 86220, "scanner": "repobility-threat-engine", "fingerprint": "845d428a7e12c3eaeb5f0a0023e2c3332c906b9ccb56e56e203529d688ee59a4", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|845d428a7e12c3eaeb5f0a0023e2c3332c906b9ccb56e56e203529d688ee59a4"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 42 more): Same pattern found in 42 additional files. Review if needed."}, "properties": {"repobilityId": 86216, "scanner": "repobility-threat-engine", "fingerprint": "915d625a1cd3d635307408c7e9dd62556c17035d699f03473a5d696ba923633f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 42 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|915d625a1cd3d635307408c7e9dd62556c17035d699f03473a5d696ba923633f", "aggregated_count": 42}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 86215, "scanner": "repobility-threat-engine", "fingerprint": "4e0e79d445cec320ea92a22fc1354c0bee733d193ab4523d7e35b1c6a15af75f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4e0e79d445cec320ea92a22fc1354c0bee733d193ab4523d7e35b1c6a15af75f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "convex/payments/webhookMutations.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 86214, "scanner": "repobility-threat-engine", "fingerprint": "bc335493414b2f577b72aad353483e46de93dc2c7ffc7c0fefcabce02d0be0df", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc335493414b2f577b72aad353483e46de93dc2c7ffc7c0fefcabce02d0be0df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/matchers/canonical.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 86213, "scanner": "repobility-threat-engine", "fingerprint": "a23a8faaadcc030a807c1b09eb0a8464829574b542f2f55814b89593bc1f2230", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a23a8faaadcc030a807c1b09eb0a8464829574b542f2f55814b89593bc1f2230"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/jobs/validate.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 86203, "scanner": "repobility-threat-engine", "fingerprint": "b4c8aad643bb4523f44b78309d95db4f4ec80ad816d380520dfe07be6ec26c7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b4c8aad643bb4523f44b78309d95db4f4ec80ad816d380520dfe07be6ec26c7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/services/i18n.ts"}, "region": {"startLine": 190}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 86202, "scanner": "repobility-threat-engine", "fingerprint": "87e020a918ab153f1b103c828886cc293b9cbd7897a4c0b4174fca69ed2e633a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|87e020a918ab153f1b103c828886cc293b9cbd7897a4c0b4174fca69ed2e633a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/seed-gold-etf-flows.mjs"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED047", "level": "none", "message": {"text": "[MINED047] Emoji In Source: Emoji \u2705 \u274c \ud83d\ude80 in code/comments \u2014 common AI output unless explicitly requested."}, "properties": {"repobilityId": 86201, "scanner": "repobility-threat-engine", "fingerprint": "cc1e4ee03a485b22951c09936ecf2ee2b3a162cd0b464e0908dc37bbea92b360", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "emoji-in-source", "owasp": null, "cwe_ids": [], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348010+00:00", "triaged_in_corpus": 9, "observations_count": 1468364, "ai_coder_pattern_id": 29}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cc1e4ee03a485b22951c09936ecf2ee2b3a162cd0b464e0908dc37bbea92b360"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/adapters/exa-search.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 46 more): Same pattern found in 46 additional files. Review if needed."}, "properties": {"repobilityId": 86198, "scanner": "repobility-threat-engine", "fingerprint": "24826d1477709fe0946d8cbd83806467cdf95a1abc490e56d5c203dabeab9c2e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 46 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|24826d1477709fe0946d8cbd83806467cdf95a1abc490e56d5c203dabeab9c2e"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 86192, "scanner": "repobility-threat-engine", "fingerprint": "faef1f153b909d55ba089c633cb12af33c44dd6d5b7539d52c2a7e7cc9f93782", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|faef1f153b909d55ba089c633cb12af33c44dd6d5b7539d52c2a7e7cc9f93782"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 86188, "scanner": "repobility-threat-engine", "fingerprint": "1486964fddabc4dbe0eca3ff5dab800d43de27623c4b1f0a4623d09e0bc356ac", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1486964fddabc4dbe0eca3ff5dab800d43de27623c4b1f0a4623d09e0bc356ac"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 86187, "scanner": "repobility-threat-engine", "fingerprint": "5ee4e7cd11a553595fd3ccdadacf2b3183ad2ac621c3b1397b1f108ef4a03185", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error('[api/brief/carousel] BRIEF_URL_SIGNING_SECRET is not configured')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|api/brief/carousel/ userid / issuedate / page .ts|8|console.error api/brief/carousel brief_url_signing_secret is not configured"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/brief/carousel/[userId]/[issueDate]/[page].ts"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 86186, "scanner": "repobility-threat-engine", "fingerprint": "282469a4fe11e0b668d6ebca5ebe72398227bbaeee7cd88817c8123b5c82e7d3", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error('[api/brief] BRIEF_URL_SIGNING_SECRET is not configured')", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|api/brief/ userid / issuedate .ts|17|console.error api/brief brief_url_signing_secret is not configured"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/brief/[userId]/[issueDate].ts"}, "region": {"startLine": 174}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 86184, "scanner": "repobility-threat-engine", "fingerprint": "73235bed9d049d56ccbc9d049e03fa3703e96574f93b8aafb2fdb25cfdcb5296", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|73235bed9d049d56ccbc9d049e03fa3703e96574f93b8aafb2fdb25cfdcb5296"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 86180, "scanner": "repobility-threat-engine", "fingerprint": "22f086d0fdc97d81b8738c7e9d19e5d21469b0073a89ebfc090d5326c2797492", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|22f086d0fdc97d81b8738c7e9d19e5d21469b0073a89ebfc090d5326c2797492"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 86179, "scanner": "repobility-threat-engine", "fingerprint": "a04c69d3d89e0e31db928d189dd86ccc9cf0d052f9621cd1c84b25176424ef3c", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|api/oauth/register.js|115|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/oauth/register.js"}, "region": {"startLine": 115}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 86178, "scanner": "repobility-threat-engine", "fingerprint": "544c227dce454fa47c954b24b59b8a45d08d5058069a7eebf4baf5b742404f99", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|api/mcp/handler.ts|83|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/mcp/handler.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 86177, "scanner": "repobility-threat-engine", "fingerprint": "8ae6f5b7a9075902b9be7f6bf6dc667924ed61d05eddfba192824dc5a130b248", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|api/_sentry-common.js|73|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_sentry-common.js"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 86176, "scanner": "repobility-threat-engine", "fingerprint": "497b380bf2e93035b90edebf0620f4482f9073e3f09cb35ed39b949ed918d423", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|497b380bf2e93035b90edebf0620f4482f9073e3f09cb35ed39b949ed918d423", "aggregated_count": 18}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 86175, "scanner": "repobility-threat-engine", "fingerprint": "c845a6526c7199c636e772e2fc2a080c424e4c84370b142de483d5acd0636fe7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c845a6526c7199c636e772e2fc2a080c424e4c84370b142de483d5acd0636fe7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/brief/carousel/[userId]/[issueDate]/[page].ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 86174, "scanner": "repobility-threat-engine", "fingerprint": "aa102d173d2f3726213a3c28a6d38eeab2a8756ffbc41d1e3b4b4b0d681b5228", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|aa102d173d2f3726213a3c28a6d38eeab2a8756ffbc41d1e3b4b4b0d681b5228"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/brief/[userId]/[issueDate].ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 86173, "scanner": "repobility-threat-engine", "fingerprint": "54a43401721454e5f3cc69eaacd2a9283314f6a080e9845c84561e3a7494946e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54a43401721454e5f3cc69eaacd2a9283314f6a080e9845c84561e3a7494946e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_relay.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 86172, "scanner": "repobility-threat-engine", "fingerprint": "62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|62ff231053d16ded91f5d63a99a8b7f9a8d879f1bee1b23442cfa6701d92f730", "aggregated_count": 2}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86171, "scanner": "repobility-threat-engine", "fingerprint": "8cb2026c94c0c1ce109257ff704c3d995b730c5818eef5fb38e7449a455f07fa", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8cb2026c94c0c1ce109257ff704c3d995b730c5818eef5fb38e7449a455f07fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "blog-site/src/pages/rss.xml.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86170, "scanner": "repobility-threat-engine", "fingerprint": "12128d03ec8c03cb2a382c4327278e8661e057effb205aa5f13605a3e37d6c05", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|12128d03ec8c03cb2a382c4327278e8661e057effb205aa5f13605a3e37d6c05"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/fwdstart.js"}, "region": {"startLine": 80}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 86169, "scanner": "repobility-threat-engine", "fingerprint": "c5f76378d662f88aae76821a8317dbcc727c184fe98ef4f91d432d63ef36742f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c5f76378d662f88aae76821a8317dbcc727c184fe98ef4f91d432d63ef36742f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_relay.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 104 more): Same pattern found in 104 additional files. Review if needed."}, "properties": {"repobilityId": 86168, "scanner": "repobility-threat-engine", "fingerprint": "4892e7b3aad920c740b318f88ee2f8a4bfaa61936417d4d32612c11b5fc8838e", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 104 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 104 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4892e7b3aad920c740b318f88ee2f8a4bfaa61936417d4d32612c11b5fc8838e"}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 276 more): Same pattern found in 276 additional files. Review if needed."}, "properties": {"repobilityId": 86164, "scanner": "repobility-threat-engine", "fingerprint": "8ca0759e78e97e32f0a5126c59a52f914b4c554f02614f6594e1b48bde751494", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 276 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8ca0759e78e97e32f0a5126c59a52f914b4c554f02614f6594e1b48bde751494", "aggregated_count": 276}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 86163, "scanner": "repobility-threat-engine", "fingerprint": "6945d40cd37f1b79243097d9d062b3b7a5ad1a7949c651901106a6dd3ffcbd4b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6945d40cd37f1b79243097d9d062b3b7a5ad1a7949c651901106a6dd3ffcbd4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_relay.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 86162, "scanner": "repobility-threat-engine", "fingerprint": "025abc505df2ab5c33a701b8de5e718c38c8c7d1e9054c8e94fcf854b4aeab1c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|025abc505df2ab5c33a701b8de5e718c38c8c7d1e9054c8e94fcf854b4aeab1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_rate-limit.js"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 86161, "scanner": "repobility-threat-engine", "fingerprint": "cdf85b3b93301aa7ae1b413e9e8f877b6a072a37999252a731ca87c9d0d0866d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cdf85b3b93301aa7ae1b413e9e8f877b6a072a37999252a731ca87c9d0d0866d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_mcp-grant-hmac.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "SEC100", "level": "none", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: * (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 86160, "scanner": "repobility-threat-engine", "fingerprint": "54fca9d7755070a0bcdd2fd0d7901c558568e2ebe97f44d324816df3c5282639", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|54fca9d7755070a0bcdd2fd0d7901c558568e2ebe97f44d324816df3c5282639"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86335, "scanner": "repobility-supply-chain", "fingerprint": "b5a04038a37cd6554237df051115c987caf162d1455c23171ab396097e9e6eca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b5a04038a37cd6554237df051115c987caf162d1455c23171ab396097e9e6eca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-code.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86334, "scanner": "repobility-supply-chain", "fingerprint": "540c22534dc1ce142833b54939223e93f25d66dc1d7674671503db6332f85b57", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|540c22534dc1ce142833b54939223e93f25d66dc1d7674671503db6332f85b57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/feed-validation.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86333, "scanner": "repobility-supply-chain", "fingerprint": "9b8cf10d40f3308116c55ec3d9523d9b6eff603dc8a0ae5d3901f92452739df8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b8cf10d40f3308116c55ec3d9523d9b6eff603dc8a0ae5d3901f92452739df8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/feed-validation.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86332, "scanner": "repobility-supply-chain", "fingerprint": "17b1b69650fcb8ece24a36462262e053d2f642384e8293a9cd7efeb849eb1b86", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|17b1b69650fcb8ece24a36462262e053d2f642384e8293a9cd7efeb849eb1b86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-worker.yml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86331, "scanner": "repobility-supply-chain", "fingerprint": "cb9c0579138da44e98939a3de67b4ea0e00307b29012eff4122df36eb2351882", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb9c0579138da44e98939a3de67b4ea0e00307b29012eff4122df36eb2351882"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-worker.yml"}, "region": {"startLine": 66}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86330, "scanner": "repobility-supply-chain", "fingerprint": "4d442060ea5f1fb8675529d0f1081f2aa4b92e96953ba26b14fa59c681adbb92", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4d442060ea5f1fb8675529d0f1081f2aa4b92e96953ba26b14fa59c681adbb92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-worker.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86329, "scanner": "repobility-supply-chain", "fingerprint": "b1b14f59cf879beb52ff7157664b0e969eb84975bf997e15a1e6f3de1e28df5f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1b14f59cf879beb52ff7157664b0e969eb84975bf997e15a1e6f3de1e28df5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-worker.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86328, "scanner": "repobility-supply-chain", "fingerprint": "ab4e117a2cf953d6541f21608ce9422ea4adee2d218722c26de9b78d97153b29", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ab4e117a2cf953d6541f21608ce9422ea4adee2d218722c26de9b78d97153b29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-worker.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86327, "scanner": "repobility-supply-chain", "fingerprint": "d3416955087e9abb17c2840a35c78e4cc896bde544aa6ccdf81427f168eb1a7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d3416955087e9abb17c2840a35c78e4cc896bde544aa6ccdf81427f168eb1a7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/deploy-worker.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86326, "scanner": "repobility-supply-chain", "fingerprint": "7d743db04440346f257e6ad5e4cb9cd6c6110ef15b3b0748eb835f7b94ac6cfd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7d743db04440346f257e6ad5e4cb9cd6c6110ef15b3b0748eb835f7b94ac6cfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 202}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86325, "scanner": "repobility-supply-chain", "fingerprint": "ed1a7ce6a8879621327d8b5994c38c278edcbb60393d41433d4071975ce63f28", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ed1a7ce6a8879621327d8b5994c38c278edcbb60393d41433d4071975ce63f28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86324, "scanner": "repobility-supply-chain", "fingerprint": "f4db2c2ca5e1fb0f9d87e1f224e1bc45fe8bed2f3fdd8aea89ca4f55c44969b1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4db2c2ca5e1fb0f9d87e1f224e1bc45fe8bed2f3fdd8aea89ca4f55c44969b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 183}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86323, "scanner": "repobility-supply-chain", "fingerprint": "555279ca2dcd31b000b6fa2aa16c18378889cfaa03d5fdaffd9f968dc2821837", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|555279ca2dcd31b000b6fa2aa16c18378889cfaa03d5fdaffd9f968dc2821837"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 169}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86322, "scanner": "repobility-supply-chain", "fingerprint": "621389921f8c7f90e738896462cf3011927b08dd8ac37c56d8678a280869de8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|621389921f8c7f90e738896462cf3011927b08dd8ac37c56d8678a280869de8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86321, "scanner": "repobility-supply-chain", "fingerprint": "b08be18746137de2db849017c674de67b02418b121c20dfc9cbbfde950946c83", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b08be18746137de2db849017c674de67b02418b121c20dfc9cbbfde950946c83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 152}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86320, "scanner": "repobility-supply-chain", "fingerprint": "d2939603d71f90143cd179e5367be8152b709be6499f496621b4701c57b41a53", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2939603d71f90143cd179e5367be8152b709be6499f496621b4701c57b41a53"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86319, "scanner": "repobility-supply-chain", "fingerprint": "fef4c224673c08ff82ffb4db7041b66ce165e0350b582432c16be1c8148f72f7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fef4c224673c08ff82ffb4db7041b66ce165e0350b582432c16be1c8148f72f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86318, "scanner": "repobility-supply-chain", "fingerprint": "ba4312bbe0abab6e1e9933b6805c2282f4c5145b6cdb32151e81bf2850478ade", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba4312bbe0abab6e1e9933b6805c2282f4c5145b6cdb32151e81bf2850478ade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86317, "scanner": "repobility-supply-chain", "fingerprint": "b90fd87532c34967b70d6916f38a1e779e880c030b2febcd07055ccdc7e03e49", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b90fd87532c34967b70d6916f38a1e779e880c030b2febcd07055ccdc7e03e49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86316, "scanner": "repobility-supply-chain", "fingerprint": "a6f2633515086ce0715ac93b5ab90f634fd5f4031b17a9e08a03a06f368cd7e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a6f2633515086ce0715ac93b5ab90f634fd5f4031b17a9e08a03a06f368cd7e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86315, "scanner": "repobility-supply-chain", "fingerprint": "9fab013e23873016a3600526c756db1c3a26e4423d24827289a5392894dbde45", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fab013e23873016a3600526c756db1c3a26e4423d24827289a5392894dbde45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86314, "scanner": "repobility-supply-chain", "fingerprint": "5003467c5f2c6f70886b024d42dc2900cdd781ca80e1306f2b107f73c7d8d211", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5003467c5f2c6f70886b024d42dc2900cdd781ca80e1306f2b107f73c7d8d211"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86313, "scanner": "repobility-supply-chain", "fingerprint": "0ce1fe311dfae895cb4af0ab35f27443a6eb91e05c0c064c8e5c12ba64a14476", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ce1fe311dfae895cb4af0ab35f27443a6eb91e05c0c064c8e5c12ba64a14476"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/convex-deploy.yml"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86312, "scanner": "repobility-supply-chain", "fingerprint": "6017746cd79e1220b83c5419e08abe171d9454d6e7f027fcd2e549e400bc3783", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6017746cd79e1220b83c5419e08abe171d9454d6e7f027fcd2e549e400bc3783"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/convex-deploy.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 86311, "scanner": "repobility-supply-chain", "fingerprint": "ca00917b4b35254c9376392df393e5953ef597af09e2e706ae6c335581066b6c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca00917b4b35254c9376392df393e5953ef597af09e2e706ae6c335581066b6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/convex-deploy.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86310, "scanner": "repobility-supply-chain", "fingerprint": "23644c46d79f1338cff68e00a459a21e4c9e165dbee7ec9fc2017759c802f939", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23644c46d79f1338cff68e00a459a21e4c9e165dbee7ec9fc2017759c802f939"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile.redis-rest"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `nginx:alpine` not pinned by digest: `FROM nginx:alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86309, "scanner": "repobility-supply-chain", "fingerprint": "c4af1edc20f9b0bcb6810d9b1e180608540fc142b3d4821e26d9440957c2f398", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4af1edc20f9b0bcb6810d9b1e180608540fc142b3d4821e26d9440957c2f398"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86308, "scanner": "repobility-supply-chain", "fingerprint": "d1f0a1ac86ce262b8f55c731319cbb59e481a418f96f10ea6efd553b0a007160", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d1f0a1ac86ce262b8f55c731319cbb59e481a418f96f10ea6efd553b0a007160"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:20-slim` not pinned by digest: `FROM node:20-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86307, "scanner": "repobility-supply-chain", "fingerprint": "c64c280a136b33e4f283ce516617ca17c69a082ab5f95a31030c225600bbdbe9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c64c280a136b33e4f283ce516617ca17c69a082ab5f95a31030c225600bbdbe9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86306, "scanner": "repobility-supply-chain", "fingerprint": "f5ef3b675da985074ff0b3e421d9050e6e0474a0501e9945e6e2d8392d3558ad", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f5ef3b675da985074ff0b3e421d9050e6e0474a0501e9945e6e2d8392d3558ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.seed-bundle-portwatch-port-activity"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86305, "scanner": "repobility-supply-chain", "fingerprint": "42c7f92d8b6a1243c3ed8c8fb2d7530640f7181d54cf071c44ab092b1b76a4b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42c7f92d8b6a1243c3ed8c8fb2d7530640f7181d54cf071c44ab092b1b76a4b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.seed-bundle-resilience-validation"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86304, "scanner": "repobility-supply-chain", "fingerprint": "f0a317226852a6e0630a387c92fa557e890ce99d70d9aac201515605c652cbd7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0a317226852a6e0630a387c92fa557e890ce99d70d9aac201515605c652cbd7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.digest-notifications"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86303, "scanner": "repobility-supply-chain", "fingerprint": "122c2d1c840d9f4c9fdb6d031c788c2a70f298b41d1b9ca47f33821a2fdba691", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|122c2d1c840d9f4c9fdb6d031c788c2a70f298b41d1b9ca47f33821a2fdba691"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile.relay"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86301, "scanner": "repobility-supply-chain", "fingerprint": "5442336277de5b53866d440e4603f943d3a99c0ea94abf679ea59c2ad989c938", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5442336277de5b53866d440e4603f943d3a99c0ea94abf679ea59c2ad989c938"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86300, "scanner": "repobility-supply-chain", "fingerprint": "e2de029902b38372d000f7630dcb86fbe5076d77781e91d1a21ac6156958dcb8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2de029902b38372d000f7630dcb86fbe5076d77781e91d1a21ac6156958dcb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:22-alpine` not pinned by digest: `FROM node:22-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 86299, "scanner": "repobility-supply-chain", "fingerprint": "6b5d6a953ed439d7061d5f834305e969cca5d87bc84be2f362346dc38e6f5714", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b5d6a953ed439d7061d5f834305e969cca5d87bc84be2f362346dc38e6f5714"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED031", "level": "error", "message": {"text": "[MINED031] React Direct State Mutation: this.state.X = Y mutates without setState. React wont re-render."}, "properties": {"repobilityId": 86243, "scanner": "repobility-threat-engine", "fingerprint": "10083ed6b7e1ea1da82cfdc53d5dc2b226541d1ccb666e206c9fd26597a59195", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-direct-state-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347971+00:00", "triaged_in_corpus": 15, "observations_count": 6168, "ai_coder_pattern_id": 137}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10083ed6b7e1ea1da82cfdc53d5dc2b226541d1ccb666e206c9fd26597a59195"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/components/WatchlistTableView.ts"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 86223, "scanner": "repobility-threat-engine", "fingerprint": "f6e2b4ac92ec6de7297ff3c1cc8bc1188ce144562f3fd39bb7c3cc51e1671f9b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(src", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f6e2b4ac92ec6de7297ff3c1cc8bc1188ce144562f3fd39bb7c3cc51e1671f9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/audit-convex-string-calls.cjs"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 86222, "scanner": "repobility-threat-engine", "fingerprint": "3a3a7f39ff3d4a77424caf766d979e0c65563f27798a3d40f2d0ead0e24f2427", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(token", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3a3a7f39ff3d4a77424caf766d979e0c65563f27798a3d40f2d0ead0e24f2427"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/_content-age-helpers.mjs"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 86221, "scanner": "repobility-threat-engine", "fingerprint": "027faa76406d20d2046f8b8c074b212de6158db9929ecac7d84a2d59a452d8d9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|027faa76406d20d2046f8b8c074b212de6158db9929ecac7d84a2d59a452d8d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/normalizers/size.ts"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 86212, "scanner": "repobility-threat-engine", "fingerprint": "4c0113af9546cdc811fb64b9356b98b4cd3babb9a12e7c0509fe19c37866194c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c0113af9546cdc811fb64b9356b98b4cd3babb9a12e7c0509fe19c37866194c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/db/client.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 86200, "scanner": "repobility-threat-engine", "fingerprint": "6e46b49801bc7ae985885ffbc856a4c091a48588384da55c09aa33d67be0b11a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6e46b49801bc7ae985885ffbc856a4c091a48588384da55c09aa33d67be0b11a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/seed-regulatory-actions.mjs"}, "region": {"startLine": 259}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 86199, "scanner": "repobility-threat-engine", "fingerprint": "2281a6ceace53c5175e2ba14f2ed906d5e5808b376ab1992e12933ba44334d21", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2281a6ceace53c5175e2ba14f2ed906d5e5808b376ab1992e12933ba44334d21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/adapters/exa-search.ts"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86197, "scanner": "repobility-threat-engine", "fingerprint": "d86d448bf4350c6953f5cbe876bfe5c3cae9803186e95a8d0171d6b346d30ea7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "params.delete(CHECKOUT_PRODUCT_PARAM);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d86d448bf4350c6953f5cbe876bfe5c3cae9803186e95a8d0171d6b346d30ea7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pro-test/src/services/checkout-intent-url.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86196, "scanner": "repobility-threat-engine", "fingerprint": "bec0a91115a5fa5e7ad97478f4fb2abba0e6b0709136eae345c9f363a2aaae1a", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "req.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bec0a91115a5fa5e7ad97478f4fb2abba0e6b0709136eae345c9f363a2aaae1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/redis-rest-proxy.mjs"}, "region": {"startLine": 75}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 86195, "scanner": "repobility-threat-engine", "fingerprint": "90938a7b1ead4e0e45f9bb2498db7b05525674fc7e0f7a9b492ec7ece58ab1f7", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.allSettled(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|90938a7b1ead4e0e45f9bb2498db7b05525674fc7e0f7a9b492ec7ece58ab1f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/acquisition/playwright.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 86191, "scanner": "repobility-threat-engine", "fingerprint": "2fe9f2a60e50b7c460e0174ffbbc97202c10704a0d8a381f00b215e893eb1457", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((fileName) => `  - ${fileName}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2fe9f2a60e50b7c460e0174ffbbc97202c10704a0d8a381f00b215e893eb1457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/check-local-secret-dumps.mjs"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 86190, "scanner": "repobility-threat-engine", "fingerprint": "26f19f640b857f3d9d3e3df126b572ca5dbdcd9b677a9a5e200bf8fc43c48a6d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((item) => `<li style=\"margin-bottom:6px;\">${renderEmailInline(item)}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|26f19f640b857f3d9d3e3df126b572ca5dbdcd9b677a9a5e200bf8fc43c48a6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/_digest-markdown.mjs"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 86189, "scanner": "repobility-threat-engine", "fingerprint": "95cf4ebaecf7977e1efadece80b28743633a9e1903428c5eab2ce7126e906c87", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(([k, v]) => `${k} (${v.type}): ${v.description}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95cf4ebaecf7977e1efadece80b28743633a9e1903428c5eab2ce7126e906c87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/acquisition/exa.ts"}, "region": {"startLine": 58}}}]}, {"ruleId": "SEC020", "level": "error", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 86185, "scanner": "repobility-threat-engine", "fingerprint": "a52ab41dce1ec6379fe740382b72b9767cd2d81f092f71fc10d2af4a6bb1901f", "category": "credential_exposure", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Credential-bearing variable appears to be printed or logged", "evidence": {"match": "console.error(`[discord-oauth] token_exchange_failed status=${tokenRes?.status} body=${errBody} redi", "reason": "Credential-bearing variable appears to be printed or logged", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "secret|token|14|console.error discord-oauth token_exchange_failed status tokenres .status body errbody redi"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/discord/oauth/callback.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86167, "scanner": "repobility-threat-engine", "fingerprint": "43cc6c3c1c771957846d49064e4b6bee9b7c6455f3a2f78242473c365fd7e104", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|43cc6c3c1c771957846d49064e4b6bee9b7c6455f3a2f78242473c365fd7e104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_session.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86166, "scanner": "repobility-threat-engine", "fingerprint": "c090b9518b8737d2d2b2dc75677bb86f756f4068a7c902f9b7c48b1ac417ef7d", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(d", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c090b9518b8737d2d2b2dc75677bb86f756f4068a7c902f9b7c48b1ac417ef7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_sentry-common.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 86165, "scanner": "repobility-threat-engine", "fingerprint": "ad082db83d4cc7e991640a0114c99e1ba6a748f67da9a97b85c6aef45c19e806", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad082db83d4cc7e991640a0114c99e1ba6a748f67da9a97b85c6aef45c19e806"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_relay.js"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 86159, "scanner": "repobility-threat-engine", "fingerprint": "0b7e5737a170c2a985f6735acfba70868466d9ec0565bb5f56563fbd7b5d8337", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0b7e5737a170c2a985f6735acfba70868466d9ec0565bb5f56563fbd7b5d8337"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/oauth-protected-resource.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 86158, "scanner": "repobility-threat-engine", "fingerprint": "04dda7265cae8da9d167e33ddea445e625d6a531cecfc424039219099aa2d4a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|04dda7265cae8da9d167e33ddea445e625d6a531cecfc424039219099aa2d4a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/geo.js"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 86157, "scanner": "repobility-threat-engine", "fingerprint": "efb9733a67878dea4c428eabee08123c455f0122d1dc8a3fc7872f20432c584e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin': '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|efb9733a67878dea4c428eabee08123c455f0122d1dc8a3fc7872f20432c584e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/_cors.js"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED127", "level": "error", "message": {"text": "[MINED127] Cryptominer signature: `xmrig`: Source contains a known cryptominer signature (`xmrig`). Could be a deliberate malicious payload, a compromised dependency, or a copy-paste from a tutorial \u2014 but it warrants immediate investigation. Mining pool URLs in production code are almost never legitimate."}, "properties": {"repobilityId": 86302, "scanner": "repobility-supply-chain", "fingerprint": "94be54c329443c3840b2ffb1e30127203738cab4232cea4e955f6b35bb17c15b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "cryptominer-signature", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|94be54c329443c3840b2ffb1e30127203738cab4232cea4e955f6b35bb17c15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "package-lock.json"}, "region": {"startLine": 23213}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 86297, "scanner": "repobility-journey-contract", "fingerprint": "4d66655b315291ca32ffc89fecf00bef8d36a3b23d47a9973248b3695c4963ee", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|266|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/pro/assets/index-cpXKHxXo.js"}, "region": {"startLine": 266}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 86211, "scanner": "repobility-threat-engine", "fingerprint": "4b2bc4cd3df83bf62e5b0607b7ff47400827fa6cb26e314a60396ce195870f3e", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4b2bc4cd3df83bf62e5b0607b7ff47400827fa6cb26e314a60396ce195870f3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-agent-skills-index.mjs"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 86210, "scanner": "repobility-threat-engine", "fingerprint": "229434b10982b03e3b2fc6aba5b27f7fc86e9c1d0f9efd6b57c7bdbde196eb86", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|229434b10982b03e3b2fc6aba5b27f7fc86e9c1d0f9efd6b57c7bdbde196eb86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/config/loader.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 86209, "scanner": "repobility-threat-engine", "fingerprint": "67085c1379deb7bfc7136f5116de76eb71ae67c9b21d38271c59335742c44c9f", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|37|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-agent-skills-index.mjs"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 86208, "scanner": "repobility-threat-engine", "fingerprint": "c687ab04f1678155176b1f638fc052d76f29c87d2d89bf3c55d4e4e492d11b5f", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|13|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/config/loader.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 86207, "scanner": "repobility-threat-engine", "fingerprint": "ae84fb3a7e9ce76b96b4d9d51ba95b9cb465547968eeee65d5d3be192b0efd1c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(match[1])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ae84fb3a7e9ce76b96b4d9d51ba95b9cb465547968eeee65d5d3be192b0efd1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/build-agent-skills-index.mjs"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 86206, "scanner": "repobility-threat-engine", "fingerprint": "29aefaad4b1426852dcb782e22d08e6dfe959de0c66a4273997e6b8c4560edcf", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(raw)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|29aefaad4b1426852dcb782e22d08e6dfe959de0c66a4273997e6b8c4560edcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "consumer-prices-core/src/config/loader.ts"}, "region": {"startLine": 13}}}]}]}]}