{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `hugo19941994/delete-draft-releases` pinned to mutable ref `@v3.0.0`", "shortDescription": {"text": "Action `hugo19941994/delete-draft-releases` pinned to mutable ref `@v3.0.0`"}, "fullDescription": {"text": "`uses: hugo19941994/delete-draft-releases@v3.0.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1377"}, "properties": {"repository": "mrdrvt99/YouProEXTRA", "repoUrl": "https://github.com/mrdrvt99/YouProEXTRA", "branch": "main"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 140838, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 140820, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `hugo19941994/delete-draft-releases` pinned to mutable ref `@v3.0.0`"}, "properties": {"repobilityId": 140837, "scanner": "repobility-supply-chain", "fingerprint": "8938c1a3cbd98189f6e501d1e047240f8791ff53b694498e46f17eb14a70ad94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8938c1a3cbd98189f6e501d1e047240f8791ff53b694498e46f17eb14a70ad94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/delete-old-draft-releases.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `levibostian/action-hide-sensitive-inputs` pinned to mutable ref `@1.2.0`"}, "properties": {"repobilityId": 140836, "scanner": "repobility-supply-chain", "fingerprint": "76105074cd178e197ac1421f55ff8897bb019001d2b2f6638d010f06a0b7ea1f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|76105074cd178e197ac1421f55ff8897bb019001d2b2f6638d010f06a0b7ea1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildcustom.yml"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8.0.1`"}, "properties": {"repobilityId": 140835, "scanner": "repobility-supply-chain", "fingerprint": "aae3ee8e9558f659ddf063431ad3608766833c542939cfb39ecd62599365fc89", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aae3ee8e9558f659ddf063431ad3608766833c542939cfb39ecd62599365fc89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildcustom.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6.0.2`"}, "properties": {"repobilityId": 140834, "scanner": "repobility-supply-chain", "fingerprint": "36d06a1d527cbe0c9f93072d98089e184b34c0f94e0af3afd2f3852667712194", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|36d06a1d527cbe0c9f93072d98089e184b34c0f94e0af3afd2f3852667712194"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildl.yml"}, "region": {"startLine": 249}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `levibostian/action-hide-sensitive-inputs` pinned to mutable ref `@1.2.0`"}, "properties": {"repobilityId": 140833, "scanner": "repobility-supply-chain", "fingerprint": "941a1bc9dfa3f353771b9859ccae247ebfa741cf1aa3ff169ddc2848ebb1710f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|941a1bc9dfa3f353771b9859ccae247ebfa741cf1aa3ff169ddc2848ebb1710f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildl.yml"}, "region": {"startLine": 126}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6.0.2`"}, "properties": {"repobilityId": 140832, "scanner": "repobility-supply-chain", "fingerprint": "c04779de33b4c4248f4df3894d740fcc161ea5c3af97f5932194d7219620f209", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c04779de33b4c4248f4df3894d740fcc161ea5c3af97f5932194d7219620f209"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildl.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `levibostian/action-hide-sensitive-inputs` pinned to mutable ref `@1.2.0`"}, "properties": {"repobilityId": 140831, "scanner": "repobility-supply-chain", "fingerprint": "223d01814dd50f0c6e3a759981d8f2bbf4952838a31213a359832d24b21ada24", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|223d01814dd50f0c6e3a759981d8f2bbf4952838a31213a359832d24b21ada24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildytkplus.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6.0.2`"}, "properties": {"repobilityId": 140830, "scanner": "repobility-supply-chain", "fingerprint": "99202205aa8aa6f0be023c1449eb0b3f1dec4ff26b4b3b6358d997b44fb087dc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99202205aa8aa6f0be023c1449eb0b3f1dec4ff26b4b3b6358d997b44fb087dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildytkplus.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Mattraks/delete-workflow-runs` pinned to mutable ref `@v2.1.0`"}, "properties": {"repobilityId": 140829, "scanner": "repobility-supply-chain", "fingerprint": "9c88ce6c84842dd2e30b94bfe1073928e206b05d3f8c69eeb118c2e7dff602b8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c88ce6c84842dd2e30b94bfe1073928e206b05d3f8c69eeb118c2e7dff602b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/delete-old-workflows-run.yml"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `levibostian/action-hide-sensitive-inputs` pinned to mutable ref `@1.2.0`"}, "properties": {"repobilityId": 140828, "scanner": "repobility-supply-chain", "fingerprint": "2b320862ea6f0f6e9784cadbcdf16546dfcc838ee85c2ee3cd3964035e8a9119", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b320862ea6f0f6e9784cadbcdf16546dfcc838ee85c2ee3cd3964035e8a9119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildytlite.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6.0.2`"}, "properties": {"repobilityId": 140827, "scanner": "repobility-supply-chain", "fingerprint": "430fe1a2a939aa2816b8925fd4cc526c691148f33ac10ca0bad536fe6d4f0d20", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|430fe1a2a939aa2816b8925fd4cc526c691148f33ac10ca0bad536fe6d4f0d20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildytlite.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `levibostian/action-hide-sensitive-inputs` pinned to mutable ref `@1.2.0`"}, "properties": {"repobilityId": 140826, "scanner": "repobility-supply-chain", "fingerprint": "2117087c705fb46291a729705b3efa8b7e13a7994a7ea21cc571c5fa4f4e75be", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2117087c705fb46291a729705b3efa8b7e13a7994a7ea21cc571c5fa4f4e75be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildnoylite.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8.0.1`"}, "properties": {"repobilityId": 140825, "scanner": "repobility-supply-chain", "fingerprint": "00753e42d150f32db63727a3796efce24edd5a73a15635aae3be4f9fcd7d465b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|00753e42d150f32db63727a3796efce24edd5a73a15635aae3be4f9fcd7d465b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildnoylite.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `levibostian/action-hide-sensitive-inputs` pinned to mutable ref `@1.2.0`"}, "properties": {"repobilityId": 140824, "scanner": "repobility-supply-chain", "fingerprint": "a83a05f15a829825f9e7ceca5d6f205403f1c823ff1b82e935d67b7f37a3427c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a83a05f15a829825f9e7ceca5d6f205403f1c823ff1b82e935d67b7f37a3427c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildyoupro.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/download-artifact` pinned to mutable ref `@v8.0.1`"}, "properties": {"repobilityId": 140823, "scanner": "repobility-supply-chain", "fingerprint": "f98fd7f547a56c2c0f010c127125eb53d9269961971d8d207bf380df15b2a5f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f98fd7f547a56c2c0f010c127125eb53d9269961971d8d207bf380df15b2a5f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/buildyoupro.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v7.0.1`"}, "properties": {"repobilityId": 140822, "scanner": "repobility-supply-chain", "fingerprint": "7ad54cd8d2bad36901961102bb48c5f2141fb2787f85cd74f33b30e9568c9a93", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ad54cd8d2bad36901961102bb48c5f2141fb2787f85cd74f33b30e9568c9a93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/_build_tweaks.yml"}, "region": {"startLine": 315}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6.0.2`"}, "properties": {"repobilityId": 140821, "scanner": "repobility-supply-chain", "fingerprint": "6c46a598941c8a58b6146cde7b836377fbfca625e6295fcfe8ff49073e73d800", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c46a598941c8a58b6146cde7b836377fbfca625e6295fcfe8ff49073e73d800"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/_build_tweaks.yml"}, "region": {"startLine": 43}}}]}]}]}