{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE "}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /switch."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `otel-collector` image has no explicit tag", "shortDescription": {"text": "Compose service `otel-collector` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `flowise` image uses the latest tag", "shortDescription": {"text": "Compose service `flowise` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR017", "name": "Dockerfile installs dependencies after copying the full source tree", "shortDescription": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "fullDescription": {"text": "Copy dependency manifests first, install dependencies in a cached layer, then copy the rest of the source tree."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC017", "name": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.", "shortDescription": {"text": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Cost abuse \u2014 an attacker can send extremely"}, "fullDescription": {"text": "1) Enforce a maximum input length BEFORE sending to the API: e.g. `if len(text) > 4000: return error`. 2) Use token counting (tiktoken for OpenAI, anthropic's token counter) to enforce token-level limits. 3) Set max_tokens on the API call to cap response cost. 4) Add rate limiting per user/IP to prevent automated abuse. 5) Monitor API spend with alerts for unusual usage patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "llm_injection", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED014", "name": "[MINED014] Disabled Tls Verify (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED014] Disabled Tls Verify (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-295 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 53 more): Same pattern found in 53 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 53 more): Same pattern found in 53 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 112 more): Same pattern found in 112 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 112 more): Same pattern found in 112 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 30 more): Same pattern found in 30 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 24 more): Same pattern found in 24 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 5 more): Same pattern found in 5 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 76 more): Same pattern found in 76 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 76 more): Same pattern found in 76 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED065] Cors Wildcard (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED130", "name": "[MINED130] Lockfile pulls package from off-canonical host `artifactory.workday.com`: `package-lock.json` resolved URL fo", "shortDescription": {"text": "[MINED130] Lockfile pulls package from off-canonical host `artifactory.workday.com`: `package-lock.json` resolved URL for `node_modules/@babel/code-frame` is `https://artifactory.workday.com/artifactory/api/npm/npm-virtual/@babel/code-fram."}, "fullDescription": {"text": "Verify the host is intentional. If your org uses a private registry, add it to your scanner's allowlist (CANONICAL_NPM_HOSTS). Otherwise, regenerate the lockfile against the canonical registry."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images "}, "fullDescription": {"text": "Replace with: `FROM node:24-alpine@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED113", "name": "[MINED113] Express PUT / has no auth: Express route PUT / declared without an auth middleware in its handler chain. Dest", "shortDescription": {"text": "[MINED113] Express PUT / has no auth: Express route PUT / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "fullDescription": {"text": "Add an auth middleware: app.put('/', requireAuth, handler) \u2014 or mount the router under app.use('/api', authMiddleware) and ensure the path is covered. If truly public, mark with a comment."}, "properties": {"scanner": "repobility-route-auth", "category": "quality", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED028", "name": "[MINED028] Ts Ignore Comment: // @ts-ignore silences all type errors on the next line.", "shortDescription": {"text": "[MINED028] Ts Ignore Comment: // @ts-ignore silences all type errors on the next line."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC033", "name": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without fil", "shortDescription": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting ever"}, "fullDescription": {"text": "Sanitize keys BEFORE merge:\n  function sanitize(obj) {\n    delete obj.__proto__;\n    delete obj.constructor;\n    delete obj.prototype;\n    return obj;\n  }\nOr use Object.create(null) for the target. Or use Map() for user-key-indexed data. Upgrade lodash >= 4.17.21 for partial mitigation."}, "properties": {"scanner": "repobility-threat-engine", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/936"}, "properties": {"repository": "FlowiseAI/Flowise", "repoUrl": "https://github.com/FlowiseAI/Flowise", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87872, "scanner": "repobility-journey-contract", "fingerprint": "3419f34f6a9290029d9400b30f2c1cb3b32d2d2617ee152e7a456f785e1d72ba", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1", "correlation_key": "fp|3419f34f6a9290029d9400b30f2c1cb3b32d2d2617ee152e7a456f785e1d72ba", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/index.ts"}, "region": {"startLine": 327}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87871, "scanner": "repobility-journey-contract", "fingerprint": "45dd4f30dd08f45928f4f8656d9be732977a7228f03037be8bb6bf2d2df185e2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/google/logout", "correlation_key": "fp|45dd4f30dd08f45928f4f8656d9be732977a7228f03037be8bb6bf2d2df185e2", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/GoogleSSO.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87870, "scanner": "repobility-journey-contract", "fingerprint": "22245664ac6a0b560f88e70a4335a998a93b9d16882438b03555243128525a7a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/google/callback", "correlation_key": "fp|22245664ac6a0b560f88e70a4335a998a93b9d16882438b03555243128525a7a", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/GoogleSSO.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87869, "scanner": "repobility-journey-contract", "fingerprint": "90fb88e0e60df01b63ad5dd21259de989994095e91b155b835c012121dbbca36", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/google/login", "correlation_key": "fp|90fb88e0e60df01b63ad5dd21259de989994095e91b155b835c012121dbbca36", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/GoogleSSO.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87868, "scanner": "repobility-journey-contract", "fingerprint": "e22c584b42bf069ed88f6507137a6788811f535273a7a3a743c1bc44154fd629", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/github/logout", "correlation_key": "fp|e22c584b42bf069ed88f6507137a6788811f535273a7a3a743c1bc44154fd629", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/GithubSSO.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87867, "scanner": "repobility-journey-contract", "fingerprint": "eca5568ce2287a98fe82f76a593c95dd84ef26dbb2421a765d4f5c8805732dc2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/github/callback", "correlation_key": "fp|eca5568ce2287a98fe82f76a593c95dd84ef26dbb2421a765d4f5c8805732dc2", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/GithubSSO.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87866, "scanner": "repobility-journey-contract", "fingerprint": "d0664cccfd8baa0560b3eabccf7c3611d387f2701f8a2d8952dd50a403b9992b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/github/login", "correlation_key": "fp|d0664cccfd8baa0560b3eabccf7c3611d387f2701f8a2d8952dd50a403b9992b", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/GithubSSO.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87865, "scanner": "repobility-journey-contract", "fingerprint": "d3be678fd4119ce3ecfe1a75df0b2b3bf8364f650641f9730318121acde702a8", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/azure/logout", "correlation_key": "fp|d3be678fd4119ce3ecfe1a75df0b2b3bf8364f650641f9730318121acde702a8", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/AzureSSO.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87864, "scanner": "repobility-journey-contract", "fingerprint": "342a21c1ee8ace1d53ba71a4f9b3dd7edf3ef513220a7cbeb7a423380f303963", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/azure/callback", "correlation_key": "fp|342a21c1ee8ace1d53ba71a4f9b3dd7edf3ef513220a7cbeb7a423380f303963", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/AzureSSO.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87863, "scanner": "repobility-journey-contract", "fingerprint": "419e06ce4ddbe6f6f39037cb6c8cbdf2d94960c2b6cf02846d7610bf5b99d32a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/azure/login", "correlation_key": "fp|419e06ce4ddbe6f6f39037cb6c8cbdf2d94960c2b6cf02846d7610bf5b99d32a", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/AzureSSO.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87862, "scanner": "repobility-journey-contract", "fingerprint": "74edeb7ed5b7e3232e241d906c560ccb2b394b4407396645e389874b08c8fe94", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth0/logout", "correlation_key": "fp|74edeb7ed5b7e3232e241d906c560ccb2b394b4407396645e389874b08c8fe94", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/Auth0SSO.ts"}, "region": {"startLine": 42}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87861, "scanner": "repobility-journey-contract", "fingerprint": "c3b1b87b8ef05249acbf60c8ca3476c3f9e528773b0ec0ca67851b89202f460a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth0/callback", "correlation_key": "fp|c3b1b87b8ef05249acbf60c8ca3476c3f9e528773b0ec0ca67851b89202f460a", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/Auth0SSO.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87860, "scanner": "repobility-journey-contract", "fingerprint": "520b48a23ab903a3f96867e783ffa1006d16f16f7ce95504d6f0bbdceb6c75c0", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/auth0/login", "correlation_key": "fp|520b48a23ab903a3f96867e783ffa1006d16f16f7ce95504d6f0bbdceb6c75c0", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/sso/Auth0SSO.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87859, "scanner": "repobility-journey-contract", "fingerprint": "48c1e2b7c6d837b1639180b15e1ebc75a6115818967bdbeeaa7c61c297407ca9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/metrics", "correlation_key": "fp|48c1e2b7c6d837b1639180b15e1ebc75a6115818967bdbeeaa7c61c297407ca9", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/middleware/prometheus/index.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 87858, "scanner": "repobility-journey-contract", "fingerprint": "98fd0f43caa810d430ba0247d483c0d28ccb62e41400f4b3373bda1ac5db2146", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/prediction", "correlation_key": "fp|98fd0f43caa810d430ba0247d483c0d28ccb62e41400f4b3373bda1ac5db2146", "backend_endpoint_count": 160}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/middleware/prometheus/index.ts"}, "region": {"startLine": 22}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /delete."}, "properties": {"repobilityId": 87856, "scanner": "repobility-access-control", "fingerprint": "7f271b3993de73f9d026434f80c56b79d2deea1809258d4bffeb227b3c32157e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/delete", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|33|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /billing."}, "properties": {"repobilityId": 87855, "scanner": "repobility-access-control", "fingerprint": "4c71b0aaadf66b8b97b02bcb909c4ad1099fded38e9a6ab46593bab25b62c8fe", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/billing", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|31|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /resend-verification."}, "properties": {"repobilityId": 87854, "scanner": "repobility-access-control", "fingerprint": "26cdc90ca73dc2f1e7332bcc597d0a7dbca7a60be68f0ae8ad602412b1331c65", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/resend-verification", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|25|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /confirm-email-change."}, "properties": {"repobilityId": 87853, "scanner": "repobility-access-control", "fingerprint": "5ca5523580165b71d85f7338b945ad0c83b14fbf33f06c3fb3f2a031b8a74b14", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/confirm-email-change", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|23|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /verify."}, "properties": {"repobilityId": 87852, "scanner": "repobility-access-control", "fingerprint": "b6126e5b91783d0494b548f0188a45bc93a1ef28b4e14bc0bee50822baa883cb", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/verify", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|21|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /test."}, "properties": {"repobilityId": 87851, "scanner": "repobility-access-control", "fingerprint": "f922fb662a197df6496ac544c50ade508fecaef8945bb1a1451097bc2a7f8983", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/test", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|16|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/login-method.route.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: PUT /."}, "properties": {"repobilityId": 87850, "scanner": "repobility-access-control", "fingerprint": "deb1293cb38527efe74889ba488c21c450e676f567591dc2f7ec6bff24a64334", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "PUT", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|14|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/login-method.route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /."}, "properties": {"repobilityId": 87849, "scanner": "repobility-access-control", "fingerprint": "99e8afea9956f21976ba974a330037fa11cdb93423d6857665bb7ef4bda820ae", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|12|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/login-method.route.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /default."}, "properties": {"repobilityId": 87848, "scanner": "repobility-access-control", "fingerprint": "c404ceb8c1f283d252c968318b6d3db17471d400b18e4a81978c28549424716f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/default", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|10|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/login-method.route.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /."}, "properties": {"repobilityId": 87847, "scanner": "repobility-access-control", "fingerprint": "495d5f78e75409b8190d062bec57c2cf55f6ce4965e7765dc22174e848def8e1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|8|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/login-method.route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /switch."}, "properties": {"repobilityId": 87846, "scanner": "repobility-access-control", "fingerprint": "bcccc30e18ceaa6b42c28429c64ba9c62661dff9f8ff393802e48739067aa8d9", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/switch", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|14|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/workspace.route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /."}, "properties": {"repobilityId": 87845, "scanner": "repobility-access-control", "fingerprint": "a7e0b0cf7e270ecb4dab46b059f2d3ef300419be31638bcbf262ad067aebb7f0", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|10|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/workspace-user.route.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: DELETE /."}, "properties": {"repobilityId": 87844, "scanner": "repobility-access-control", "fingerprint": "120b22f749d3309dc49d5964e3a5efe4e65f29e89f14afab52903423978a45b1", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|15|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/organization-user.route.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: PUT /."}, "properties": {"repobilityId": 87843, "scanner": "repobility-access-control", "fingerprint": "a2f013beae1323b22b05b7cc7ac9bbf338f061552d4364bdcf5452547fe5813b", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/", "method": "PUT", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|13|auc004", "identity_targets": ["authenticated", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/organization-user.route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /."}, "properties": {"repobilityId": 87842, "scanner": "repobility-access-control", "fingerprint": "0d15d800fad10654856c80d73aace7019c4af1761b0d24761683020a9fb0b9ff", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|11|auc004", "duplicate_count": 1, "identity_targets": ["authenticated", "admin"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["0d15d800fad10654856c80d73aace7019c4af1761b0d24761683020a9fb0b9ff", "e79b27017fd647dca1a65d88c0f6e0a809607262c98e3a6f159e9921318a68da"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/organization-user.route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /logout."}, "properties": {"repobilityId": 87841, "scanner": "repobility-access-control", "fingerprint": "6c721c5df7335d7aecb7a6a89643415543bc01f5487986e99a34e66dc69955d2", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/logout", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|19|auc004", "identity_targets": ["anonymous", "authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: POST /register."}, "properties": {"repobilityId": 87840, "scanner": "repobility-access-control", "fingerprint": "69b059a42b4916c93d7a848273510fb8d2c136d405b15aaed851f09508d40413", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation. Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"path": "/register", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|9|auc004", "duplicate_count": 2, "identity_targets": ["anonymous", "authenticated"], "duplicate_rule_ids": ["AUC004"], "duplicate_scanners": ["repobility-access-control"], "duplicate_fingerprints": ["69b059a42b4916c93d7a848273510fb8d2c136d405b15aaed851f09508d40413", "8bc1fd8b56c33be6ef83b0411a99dcc2b7a464401f71651349c95a229198869d", "9970ab15395bbbd5d1c97736f7dc3499d1f9274e0fce3090038fb012e3b2c822"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 87837, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Express"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `otel-collector` image has no explicit tag"}, "properties": {"repobilityId": 87834, "scanner": "repobility-docker", "fingerprint": "dd04c10f4547b748762b9db6ae665cc6176fa0640ec0c555b52378aeee570ce4", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "otel/opentelemetry-collector-contrib", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|dd04c10f4547b748762b9db6ae665cc6176fa0640ec0c555b52378aeee570ce4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "metrics/otel/compose.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `flowise` image uses the latest tag"}, "properties": {"repobilityId": 87831, "scanner": "repobility-docker", "fingerprint": "143bfc97038b5b133c2f704e019d025e0fde1e2fa7bef8715030525440bc80ff", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "flowiseai/flowise-worker:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|143bfc97038b5b133c2f704e019d025e0fde1e2fa7bef8715030525440bc80ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/worker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `flowise` image uses the latest tag"}, "properties": {"repobilityId": 87828, "scanner": "repobility-docker", "fingerprint": "f38b6b59c40f9ade543f812cbfab7510f97bfd4d3548c3ab937af8c44d4ec578", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "flowiseai/flowise:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f38b6b59c40f9ade543f812cbfab7510f97bfd4d3548c3ab937af8c44d4ec578"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 87827, "scanner": "repobility-docker", "fingerprint": "89025512b47edc4186bd88dcc99189f8e6f86a028286f76538dc2646b844e975", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:24-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|89025512b47edc4186bd88dcc99189f8e6f86a028286f76538dc2646b844e975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/worker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 87826, "scanner": "repobility-docker", "fingerprint": "7b0ae478fca7bfc44beeef3b264827a6b93c842acfb4633a11ffded83a627f8c", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 21 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 21, "correlation_key": "fp|7b0ae478fca7bfc44beeef3b264827a6b93c842acfb4633a11ffded83a627f8c", "dependency_install_line": 23}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/worker/Dockerfile"}, "region": {"startLine": 23}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 87825, "scanner": "repobility-docker", "fingerprint": "332bbbad5624755a61cf3515ae9f624facff55f6ac1fc0dae87fd411a2f450c3", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|332bbbad5624755a61cf3515ae9f624facff55f6ac1fc0dae87fd411a2f450c3", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/worker/Dockerfile"}, "region": {"startLine": 21}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 87824, "scanner": "repobility-docker", "fingerprint": "c52d2ee7da2dae2ed716db01814007065b9b0d6c3670db5d177b29ba39cc4d71", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "node:${NODE_VERSION}-alpine", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c52d2ee7da2dae2ed716db01814007065b9b0d6c3670db5d177b29ba39cc4d71"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKR017", "level": "warning", "message": {"text": "Dockerfile installs dependencies after copying the full source tree"}, "properties": {"repobilityId": 87821, "scanner": "repobility-docker", "fingerprint": "79af79fcc2f0aee059e5b262fe69be37067c8b8c4d3b4ba918198ae757846b80", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy at line 31 appears before dependency installation.", "evidence": {"rule_id": "DKR017", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "broad_copy_line": 31, "correlation_key": "fp|79af79fcc2f0aee059e5b262fe69be37067c8b8c4d3b4ba918198ae757846b80", "dependency_install_line": 34}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 34}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 87820, "scanner": "repobility-docker", "fingerprint": "46ff51bf967b822e141dbd3edb8b2223c7e9aa7114d41a32f6e7ec1564d4c642", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|46ff51bf967b822e141dbd3edb8b2223c7e9aa7114d41a32f6e7ec1564d4c642", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 87787, "scanner": "repobility-threat-engine", "fingerprint": "cdad6dea368c8b19f08a773b7695a2415a03fd30362e96526484bed6b74b4436", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "key: new Date().getTime() + Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cdad6dea368c8b19f08a773b7695a2415a03fd30362e96526484bed6b74b4436"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/ui-component/dialog/ExportAsTemplateDialog.jsx"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 87786, "scanner": "repobility-threat-engine", "fingerprint": "ef5c7c28147808f5e07aa323b28bfefa19e115e80d433b75d0366625782ede8d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random()\n        }\n    }\n}\n\nexport const closeSnackbar = (key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ef5c7c28147808f5e07aa323b28bfefa19e115e80d433b75d0366625782ede8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/store/actions.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 87785, "scanner": "repobility-threat-engine", "fingerprint": "2a9642d630a357b682eae56be498746d3e381b4497d01603a1927ce62dc7f096", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random(),\n                variant: 'success',\n                action: (key", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a9642d630a357b682eae56be498746d3e381b4497d01603a1927ce62dc7f096"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/layout/MainLayout/Sidebar/CloudMenuList.jsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 87783, "scanner": "repobility-threat-engine", "fingerprint": "d56e2800d2d5fa40a956fbc508ef3cf07398af4b207aa5f4c028fb8c26e8221b", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "key: new Date().getTime() + Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|103|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/ui-component/dialog/ExportAsTemplateDialog.jsx"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 87782, "scanner": "repobility-threat-engine", "fingerprint": "5790c3e8f635878ae6f89b859e6c3b1a6c7f564a1aa6c35aba508e32f1c3bdaa", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "key: key || new Date().getTime() + Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|40|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/store/actions.js"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 87781, "scanner": "repobility-threat-engine", "fingerprint": "9e425a90c697e3ac3ab69d92e109966006f7b5f7ea8df317e194282e094796e5", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "key: new Date().getTime() + Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|41|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/layout/MainLayout/Sidebar/CloudMenuList.jsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 87779, "scanner": "repobility-threat-engine", "fingerprint": "b24a306164da0fb2d832c4cef2ef1f88d1c96b88c2d2949a3304605881e7cb8a", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = '<redacted> Password'", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|6|password redacted password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/utils/constants.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 87778, "scanner": "repobility-threat-engine", "fingerprint": "5ae4f4ee93ac7f4620d05dba66289c8539d5fef6d45cfade5248d80a8b089ce9", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "evidence": {"match": "PASSWORD = '<redacted> Password'", "reason": "Low entropy value (3.6 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|8|password redacted password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/Interface.Enterprise.ts"}, "region": {"startLine": 88}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 87777, "scanner": "repobility-threat-engine", "fingerprint": "0fda9e6ee276f7a6a6db925fb73ff24b262f63c1fa7d76dda2a5968cc5c0c8e7", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0fda9e6ee276f7a6a6db925fb73ff24b262f63c1fa7d76dda2a5968cc5c0c8e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/webhook-listener/registry.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 87776, "scanner": "repobility-threat-engine", "fingerprint": "ba610e7d40c190a0efb902547856938b25cecb680b31803da18594df386471d5", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ba610e7d40c190a0efb902547856938b25cecb680b31803da18594df386471d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/mcp-endpoint/index.ts"}, "region": {"startLine": 318}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 87775, "scanner": "repobility-threat-engine", "fingerprint": "74230c5ccbe92f9fe7679f5b6c62421bfa3f2c24b13d65cabe101b9c92f43695", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|74230c5ccbe92f9fe7679f5b6c62421bfa3f2c24b13d65cabe101b9c92f43695"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/controllers/webhook-listener/index.ts"}, "region": {"startLine": 80}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 87772, "scanner": "repobility-threat-engine", "fingerprint": "16bda6b9e1f641debd1449414f2487d3fbcaee9c52dc8ca4ed1dcbf2550dd0fb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n                return []\n            }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16bda6b9e1f641debd1449414f2487d3fbcaee9c52dc8ca4ed1dcbf2550dd0fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/nodes/index.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 87771, "scanner": "repobility-threat-engine", "fingerprint": "8ccaf85daf8384499355eab0ef526dbe0c251de702ec936609da56117648b96d", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (error) {\n                return []\n            }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8ccaf85daf8384499355eab0ef526dbe0c251de702ec936609da56117648b96d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/tools/MCP/CustomMcpServerTool/CustomMcpServerTool.ts"}, "region": {"startLine": 76}}}]}, {"ruleId": "SEC017", "level": "warning", "message": {"text": "[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Cost abuse \u2014 an attacker can send extremely long inputs to burn through your API credits (a single 128K-token request to GPT-4 costs ~$4, and automated attacks can drain budgets in minutes). (2) Context stuffing \u2014 oversized inputs can push your system prompt out of the context window, effectively disab"}, "properties": {"repobilityId": 87770, "scanner": "repobility-threat-engine", "fingerprint": "7d4224a82a73f89d38c02b5099335eb582e91526a1994008bb5f1a8f21d3e404", "category": "llm_injection", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User input is passed to an AI/LLM API with no visible length check or rate limit. An attacker can send extremely long inputs to: (1) drain your API budget (128K tokens to GPT-4 \u2248 $4/request, automated = thousands of dollars), (2) push your system prompt out of the context window, disabling safety guardrails. Add input length validation before the API call.", "evidence": {"match": "LLM.invoke(this.prompt.replace(`{{${queryPrefix}}}`, query", "reason": "User input is passed to an AI/LLM API with no visible length check or rate limit. An attacker can send extremely long inputs to: (1) drain your API budget (128K tokens to GPT-4 \u2248 $4/request, automated = thousands of dollars), (2) push your system prompt out of the context window, disabling safety guardrails. Add input length validation before the API call.", "rule_id": "SEC017", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "fp|7d4224a82a73f89d38c02b5099335eb582e91526a1994008bb5f1a8f21d3e404"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/retrievers/ExtractMetadataRetriever/ExtractMetadataRetriever.ts"}, "region": {"startLine": 179}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 87769, "scanner": "repobility-threat-engine", "fingerprint": "ca7d086fc45b3070eb0878ef4078ea528cd18a58edf213da3842f7289dcfc5c3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ca7d086fc45b3070eb0878ef4078ea528cd18a58edf213da3842f7289dcfc5c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/tools/RequestsPut/RequestsPut.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 87768, "scanner": "repobility-threat-engine", "fingerprint": "5742c4c097bec2899913ef8a67bfb4774ba6d96ac1538cd260ac52d81846c933", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"John Doe\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5742c4c097bec2899913ef8a67bfb4774ba6d96ac1538cd260ac52d81846c933"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/tools/RequestsPost/RequestsPost.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 87767, "scanner": "repobility-threat-engine", "fingerprint": "45f4020eaab2c9ed3723ed8381490602318a722f7b3867bcc753780e2fb9c9a2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|45f4020eaab2c9ed3723ed8381490602318a722f7b3867bcc753780e2fb9c9a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/documentloaders/PlainText/PlainText.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 87741, "scanner": "repobility-threat-engine", "fingerprint": "5d8a15a6f3be86d09797a2e6d25f676a96a60cb25d2fa480a7c219122c552892", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'<YOUR-APIKEY>'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d8a15a6f3be86d09797a2e6d25f676a96a60cb25d2fa480a7c219122c552892"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/IBMWatsonx.credential.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 87739, "scanner": "repobility-threat-engine", "fingerprint": "26c525ae1ef41d40b2680f1099be14d97568f1bfc11c1c841f99c3a985873186", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 2 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "<a target=\"_blank\" href=\"https://support.airtable.com/docs/creating-and-using-api-keys-and-access-to", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|15|sec041", "duplicate_count": 2, "duplicate_rule_ids": ["SEC041"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["26c525ae1ef41d40b2680f1099be14d97568f1bfc11c1c841f99c3a985873186", "71dbe4056d185c4fd688384cba4e235f2025b217f382cb6c52eacc93e4165b26", "baa5ff9eb7e40d7a010a7b2de6492f88e97db63b826f26794beac9acbb096024"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/AirtableApi.credential.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 87716, "scanner": "repobility-threat-engine", "fingerprint": "0ecb8eea623d5e95af44cd49f160efcb862445731f41036a82cee7df8478df65", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|102|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/tools/Arxiv/core.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 87715, "scanner": "repobility-threat-engine", "fingerprint": "2e205d33cac6f5de70db200e03ddba003392aa58347762476cf0a214e0c7d876", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|18|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/core/utils/variableUtils.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 87714, "scanner": "repobility-threat-engine", "fingerprint": "045d6507240c6b52b2cbd152c130fc213a1579c124221ab6ef94043aa4b1272a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|154|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/utils/xmlTagUtils.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 87836, "scanner": "repobility-docker", "fingerprint": "78fcfdc77e08cff76aba855920fc92c8f2fd87c321a09b93b72a9e304d839534", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|78fcfdc77e08cff76aba855920fc92c8f2fd87c321a09b93b72a9e304d839534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "metrics/otel/compose.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 87835, "scanner": "repobility-docker", "fingerprint": "e4b120e475bf06b3c0fa120f0c37e9d026c0abd19bf75a7ccd520fbdbf6c9eb1", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "otel-collector", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e4b120e475bf06b3c0fa120f0c37e9d026c0abd19bf75a7ccd520fbdbf6c9eb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "metrics/otel/compose.yaml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 87833, "scanner": "repobility-docker", "fingerprint": "c2faf91c9c29702782e1266d73818e30a4be2060afa452fcdaa31ebf4699a86a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "flowise", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c2faf91c9c29702782e1266d73818e30a4be2060afa452fcdaa31ebf4699a86a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/worker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 87832, "scanner": "repobility-docker", "fingerprint": "c0b9a3942228ed1c2a29feaac9ef7da37d442b2ef75678fd299430b58d6241dd", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "flowise", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c0b9a3942228ed1c2a29feaac9ef7da37d442b2ef75678fd299430b58d6241dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/worker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 87830, "scanner": "repobility-docker", "fingerprint": "c7566433ba21757a8a494bf72915a63649f783b35b8ce2473f76c50a07c2a69e", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "flowise", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c7566433ba21757a8a494bf72915a63649f783b35b8ce2473f76c50a07c2a69e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 87829, "scanner": "repobility-docker", "fingerprint": "e64ab2c2ef743cf94456a1eab68096470ce71de87ba8bb20e5cf0df4fb78fc5e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "flowise", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e64ab2c2ef743cf94456a1eab68096470ce71de87ba8bb20e5cf0df4fb78fc5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 87822, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87819, "scanner": "repobility-ai-code-hygiene", "fingerprint": "408f7112655057ab1cfee4425ab75fd8b5c0b7278f8be51a3cb959c89cc67102", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agents/AirtableAgent/core.ts", "duplicate_line": 1, "correlation_key": "fp|408f7112655057ab1cfee4425ab75fd8b5c0b7278f8be51a3cb959c89cc67102"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agents/CSVAgent/core.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87818, "scanner": "repobility-ai-code-hygiene", "fingerprint": "24a4b6494b6faa7cca371406c59149a0a99f4ed387cd2077915a8c7e5ab84223", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agents/AirtableAgent/AirtableAgent.ts", "duplicate_line": 132, "correlation_key": "fp|24a4b6494b6faa7cca371406c59149a0a99f4ed387cd2077915a8c7e5ab84223"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agents/CSVAgent/CSVAgent.ts"}, "region": {"startLine": 144}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87817, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6b96bcc6f3a78c5df384084ba81c8c46d6815fb7a287b793428d6b51ebfa4862", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/CustomFunction/CustomFunction.ts", "duplicate_line": 35, "correlation_key": "fp|6b96bcc6f3a78c5df384084ba81c8c46d6815fb7a287b793428d6b51ebfa4862"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/Tool/Tool.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87816, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5da53042087090c5cfd8f03777aa85ccf2eb2c8d43ea64f456a772413c1a36f7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/Condition/Condition.ts", "duplicate_line": 46, "correlation_key": "fp|5da53042087090c5cfd8f03777aa85ccf2eb2c8d43ea64f456a772413c1a36f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/Start/Start.ts"}, "region": {"startLine": 112}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87815, "scanner": "repobility-ai-code-hygiene", "fingerprint": "42f2acfd5436c5a07a09f78564e00286811a788315eab79074c53e8b36b2cea2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/CustomFunction/CustomFunction.ts", "duplicate_line": 35, "correlation_key": "fp|42f2acfd5436c5a07a09f78564e00286811a788315eab79074c53e8b36b2cea2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/Retriever/Retriever.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87814, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84d07274e55cd368052efe17a4a5dc1b99ad0d9966423aa7ab718ea739dbf37f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/CustomFunction/CustomFunction.ts", "duplicate_line": 35, "correlation_key": "fp|84d07274e55cd368052efe17a4a5dc1b99ad0d9966423aa7ab718ea739dbf37f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/Loop/Loop.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87813, "scanner": "repobility-ai-code-hygiene", "fingerprint": "569253b41eee688b9f8d7084a0c712541bc96dc8db8ba7c9e448144bc1eced42", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/ExecuteFlow/ExecuteFlow.ts", "duplicate_line": 18, "correlation_key": "fp|569253b41eee688b9f8d7084a0c712541bc96dc8db8ba7c9e448144bc1eced42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/Iteration/Iteration.ts"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87812, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8dfb5f474be8244c388b23d047161507eb3a0bc7faf0f2e7f8e4234fcc37a9b1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/ConditionAgent/ConditionAgent.ts", "duplicate_line": 173, "correlation_key": "fp|8dfb5f474be8244c388b23d047161507eb3a0bc7faf0f2e7f8e4234fcc37a9b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/HumanInput/HumanInput.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87811, "scanner": "repobility-ai-code-hygiene", "fingerprint": "39d873ed0a5595f1f12f4f77bc44147087a59b473d38f9621d796de7ba906bb6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/ExecuteFlow/ExecuteFlow.ts", "duplicate_line": 18, "correlation_key": "fp|39d873ed0a5595f1f12f4f77bc44147087a59b473d38f9621d796de7ba906bb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/HumanInput/HumanInput.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87810, "scanner": "repobility-ai-code-hygiene", "fingerprint": "807fdf087cbca31364b1982c86d880df1f437c394e6f1ab6aebecd3624be644f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/ExecuteFlow/ExecuteFlow.ts", "duplicate_line": 18, "correlation_key": "fp|807fdf087cbca31364b1982c86d880df1f437c394e6f1ab6aebecd3624be644f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/HTTP/HTTP.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87809, "scanner": "repobility-ai-code-hygiene", "fingerprint": "00e87f1eacbedb30e18db665e965dffed973544f68249d5a04e193894c4a7a72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/CustomFunction/CustomFunction.ts", "duplicate_line": 90, "correlation_key": "fp|00e87f1eacbedb30e18db665e965dffed973544f68249d5a04e193894c4a7a72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/ExecuteFlow/ExecuteFlow.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87808, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d4aa7a19522905763745d63ec6c692f3872e576a3fea295d9e590bbc386e85f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/CustomFunction/CustomFunction.ts", "duplicate_line": 35, "correlation_key": "fp|9d4aa7a19522905763745d63ec6c692f3872e576a3fea295d9e590bbc386e85f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/DirectReply/DirectReply.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87807, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e391dfb35828e89e8755559c1c6792aefd2b785950e0ff366c6167a1969417c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/nodes/agentflow/Condition/Condition.ts", "duplicate_line": 10, "correlation_key": "fp|6e391dfb35828e89e8755559c1c6792aefd2b785950e0ff366c6167a1969417c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/ConditionAgent/ConditionAgent.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87806, "scanner": "repobility-ai-code-hygiene", "fingerprint": "590b6eeb52db17afb72adc540f20c4b50dc7003e27f4eafc7a8b580632e20975", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/credentials/GmailOAuth2.credential.ts", "duplicate_line": 32, "correlation_key": "fp|590b6eeb52db17afb72adc540f20c4b50dc7003e27f4eafc7a8b580632e20975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/SlackOAuth2.credential.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87805, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bd32ae210815bb78115b6c77da34617e373fc9f37a3d0c3bd6e59f48c6162e66", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/credentials/GmailOAuth2.credential.ts", "duplicate_line": 32, "correlation_key": "fp|bd32ae210815bb78115b6c77da34617e373fc9f37a3d0c3bd6e59f48c6162e66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/MicrosoftTeamsOAuth2.credential.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87804, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a4368cb26f09cfde2ec2b85a9cc85766d5c3581f11a8e035e62f70b077a24086", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/credentials/MicrosoftOutlookOAuth2.credential.ts", "duplicate_line": 29, "correlation_key": "fp|a4368cb26f09cfde2ec2b85a9cc85766d5c3581f11a8e035e62f70b077a24086"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/MicrosoftTeamsOAuth2.credential.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87803, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1ca66d4371dd454a0cf412fd6c7aee98f59aba76965806657d2d31418f8e5cd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/credentials/GmailOAuth2.credential.ts", "duplicate_line": 32, "correlation_key": "fp|d1ca66d4371dd454a0cf412fd6c7aee98f59aba76965806657d2d31418f8e5cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/MicrosoftOutlookOAuth2.credential.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87802, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f8eb78aba199ce880dc1ed5735106ce977539b384c132b1ac379af1b6413ca5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/credentials/GmailOAuth2.credential.ts", "duplicate_line": 20, "correlation_key": "fp|1f8eb78aba199ce880dc1ed5735106ce977539b384c132b1ac379af1b6413ca5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/GoogleSheetsOAuth2.credential.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87801, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99aa5a2ae38984e7368e879d5b8b76475e6c9b3b810eadf87361baeec917e389", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/credentials/GoogleDocsOAuth2.credential.ts", "duplicate_line": 16, "correlation_key": "fp|99aa5a2ae38984e7368e879d5b8b76475e6c9b3b810eadf87361baeec917e389"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/GoogleSheetsOAuth2.credential.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87800, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5f9f28fbfc97a45e227d7e702f05fe2e85e98644129dd7925f195e0e3e701c4b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/credentials/GmailOAuth2.credential.ts", "duplicate_line": 20, "correlation_key": "fp|5f9f28fbfc97a45e227d7e702f05fe2e85e98644129dd7925f195e0e3e701c4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/GoogleDriveOAuth2.credential.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87799, "scanner": "repobility-ai-code-hygiene", "fingerprint": "159037b692a012eb45cb68bb1e08d3a6f0744fdbadac36d5abe0da2fa1ccf184", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/credentials/GmailOAuth2.credential.ts", "duplicate_line": 20, "correlation_key": "fp|159037b692a012eb45cb68bb1e08d3a6f0744fdbadac36d5abe0da2fa1ccf184"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/GoogleDocsOAuth2.credential.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87798, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3e2d04e2dfe296e39bdc50fb452713402811aa8cee6d7e5a9deb803605b2e034", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/components/credentials/GmailOAuth2.credential.ts", "duplicate_line": 20, "correlation_key": "fp|3e2d04e2dfe296e39bdc50fb452713402811aa8cee6d7e5a9deb803605b2e034"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/credentials/GoogleCalendarOAuth2.credential.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87797, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9566a4d4735fd8cc85ac79a9db503d6543b4e3c6d8f2468071932e7842ff6ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentflow/src/features/canvas/containers/AgentFlowNode.tsx", "duplicate_line": 103, "correlation_key": "fp|a9566a4d4735fd8cc85ac79a9db503d6543b4e3c6d8f2468071932e7842ff6ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/features/canvas/containers/IterationNode.tsx"}, "region": {"startLine": 148}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87796, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b2a875be4eef9b117c16121675951b2255c7fdf5543ae586ea92bf2a47020afd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentflow/src/features/canvas/components/ConnectionLine.tsx", "duplicate_line": 18, "correlation_key": "fp|b2a875be4eef9b117c16121675951b2255c7fdf5543ae586ea92bf2a47020afd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/features/canvas/containers/AgentFlowEdge.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87795, "scanner": "repobility-ai-code-hygiene", "fingerprint": "885dd545a17abc668e2d2fb1ab84faa88b36f7af8a0ebef793ea9025bbfd552a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentflow/src/atoms/RichTextEditor.tsx", "duplicate_line": 48, "correlation_key": "fp|885dd545a17abc668e2d2fb1ab84faa88b36f7af8a0ebef793ea9025bbfd552a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/VariableInput.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87794, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3dcdd04826ca58015d86aad5a5ff43a156d06b3ecdf1b2bb7dd2c9268154b271", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentflow/src/atoms/MessagesInput.tsx", "duplicate_line": 181, "correlation_key": "fp|3dcdd04826ca58015d86aad5a5ff43a156d06b3ecdf1b2bb7dd2c9268154b271"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/StructuredOutputBuilder.tsx"}, "region": {"startLine": 210}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87793, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4b9fa5026da47df68e5713fb0fe182a6f340d3d47307295e3548bef600cafb0a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentflow/src/atoms/ArrayInput.tsx", "duplicate_line": 108, "correlation_key": "fp|4b9fa5026da47df68e5713fb0fe182a6f340d3d47307295e3548bef600cafb0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/StructuredOutputBuilder.tsx"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87792, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd7a86d3af0baeccb1857550eb5adba2a3d5e733fc1ac969ba7f30b9ff73abfd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentflow/src/atoms/ConditionBuilder.tsx", "duplicate_line": 55, "correlation_key": "fp|cd7a86d3af0baeccb1857550eb5adba2a3d5e733fc1ac969ba7f30b9ff73abfd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/ScenariosInput.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87791, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1582ab6d1d7cc3d5f8fedf9c69072eca47c776fe7163d997ea2272a5951d453", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentflow/src/atoms/ArrayInput.tsx", "duplicate_line": 63, "correlation_key": "fp|f1582ab6d1d7cc3d5f8fedf9c69072eca47c776fe7163d997ea2272a5951d453"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/ScenariosInput.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 87790, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7efd5178b7357268b3c225857f056d3f315eca0d7041e07b347a440289e6301", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agentflow/src/atoms/ArrayInput.tsx", "duplicate_line": 68, "correlation_key": "fp|a7efd5178b7357268b3c225857f056d3f315eca0d7041e07b347a440289e6301"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/ConditionBuilder.tsx"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 87789, "scanner": "repobility-threat-engine", "fingerprint": "74f3f7132e516bc2e0e48ef39a7096ec0dbed8072a9e91b5da6d794f168bae4a", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Upload Items to [' + datasetName + '] Dataset'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|74f3f7132e516bc2e0e48ef39a7096ec0dbed8072a9e91b5da6d794f168bae4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/views/datasets/UploadCSVFileDialog.jsx"}, "region": {"startLine": 147}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 87823, "scanner": "repobility-docker", "fingerprint": "b3e31c78507bb1e849e440c126672eb66de98288dea4d6ea3da4112037c9925c", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODE_VERSION}-alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|b3e31c78507bb1e849e440c126672eb66de98288dea4d6ea3da4112037c9925c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC087", "level": "none", "message": {"text": "[SEC087] JS: weak Math.random for crypto (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 87788, "scanner": "repobility-threat-engine", "fingerprint": "55b27aef9cf925ce3295a59a60d08f0de5122a1582425355f8fac451c96022ef", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|55b27aef9cf925ce3295a59a60d08f0de5122a1582425355f8fac451c96022ef"}}}, {"ruleId": "SEC015", "level": "none", "message": {"text": "[SEC015] Insecure Randomness for Security (and 23 more): Same pattern found in 23 additional files. Review if needed."}, "properties": {"repobilityId": 87784, "scanner": "repobility-threat-engine", "fingerprint": "fa5798f6d98a2a8385e41099b24fed8d02d6a86391fd20c33bdb71cde25218b6", "category": "crypto", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 23 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|fa5798f6d98a2a8385e41099b24fed8d02d6a86391fd20c33bdb71cde25218b6"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 87774, "scanner": "repobility-threat-engine", "fingerprint": "f37dce99c3ab8aa63f009cfd57dd70f45a0fa9bec7013c4fd15a7b26b2b85101", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "logger.info('Running resetPassword')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|3|logger.info running resetpassword"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/commands/user.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 87765, "scanner": "repobility-threat-engine", "fingerprint": "fd8d08e6de1c2fe2dcff894b11bcb5044e86c9d8eb4a804b088501431e5639d9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fd8d08e6de1c2fe2dcff894b11bcb5044e86c9d8eb4a804b088501431e5639d9", "aggregated_count": 9}}}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 87764, "scanner": "repobility-threat-engine", "fingerprint": "512a8328e422951ca387e693815c17e538abcbbbd6b7cf7aca550e5b6ad077a3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|512a8328e422951ca387e693815c17e538abcbbbd6b7cf7aca550e5b6ad077a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/chatmodels/ChatOpenAI/ChatOpenAI.ts"}, "region": {"startLine": 200}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 87763, "scanner": "repobility-threat-engine", "fingerprint": "32c6e615ea8d7099afd1e94b748f681abd78fde3fcd6c77aed82aaaa4f332207", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|32c6e615ea8d7099afd1e94b748f681abd78fde3fcd6c77aed82aaaa4f332207"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/chatmodels/ChatCerebras/ChatCerebras.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 87762, "scanner": "repobility-threat-engine", "fingerprint": "52bf97e4a0bed2b704cabd8f3bfa0de1e442b3c7a68d08e250e491a7776cec08", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|52bf97e4a0bed2b704cabd8f3bfa0de1e442b3c7a68d08e250e491a7776cec08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts"}, "region": {"startLine": 184}}}]}, {"ruleId": "MINED019", "level": "none", "message": {"text": "[MINED019] Ssti Jinja From String (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 87761, "scanner": "repobility-threat-engine", "fingerprint": "ae007fa3f4a1b4292a8ecc662d5e3c2423e255a113a9e9ace75bb96894adb8d3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ae007fa3f4a1b4292a8ecc662d5e3c2423e255a113a9e9ace75bb96894adb8d3", "aggregated_count": 2}}}, {"ruleId": "MINED014", "level": "none", "message": {"text": "[MINED014] Disabled Tls Verify (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 87757, "scanner": "repobility-threat-engine", "fingerprint": "d939bc242338460824f3fd8dd19612185086c346081a85fda3d1dd0d44af95a2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d939bc242338460824f3fd8dd19612185086c346081a85fda3d1dd0d44af95a2", "aggregated_count": 3}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 87753, "scanner": "repobility-threat-engine", "fingerprint": "c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c066fdac20648ab02e6c78e05ac6d7be6049c4550b793a58bcd25dd5d0594df0"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 53 more): Same pattern found in 53 additional files. Review if needed."}, "properties": {"repobilityId": 87749, "scanner": "repobility-threat-engine", "fingerprint": "c096e4c3ea2cc7c0688c52d94ca80618fef01383d0a5e163d4b2dbc6793cf311", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 53 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c096e4c3ea2cc7c0688c52d94ca80618fef01383d0a5e163d4b2dbc6793cf311", "aggregated_count": 53}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 87748, "scanner": "repobility-threat-engine", "fingerprint": "2b90adb23d931902f7c9a03af7a0149310dd85f92005e0a818c4e614a2d944d5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2b90adb23d931902f7c9a03af7a0149310dd85f92005e0a818c4e614a2d944d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agentflow/HumanInput/HumanInput.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 87747, "scanner": "repobility-threat-engine", "fingerprint": "1e9aa232a4325606a51d15c7d1817da4771d76f0a94e5acfd356458bac1f38dc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1e9aa232a4325606a51d15c7d1817da4771d76f0a94e5acfd356458bac1f38dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/evaluation/EvaluationRunTracerLlama.ts"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 87746, "scanner": "repobility-threat-engine", "fingerprint": "7a9d42c62c25c9608d769fc224ac70b9b375c4303bb120539cb42d89019ee161", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a9d42c62c25c9608d769fc224ac70b9b375c4303bb120539cb42d89019ee161"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/evaluation/EvaluationRunTracer.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 112 more): Same pattern found in 112 additional files. Review if needed."}, "properties": {"repobilityId": 87745, "scanner": "repobility-threat-engine", "fingerprint": "3d25afe9849c753557d5cb681b9f181580cfacb5ac07c278b57fb63f4d49bcef", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 112 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3d25afe9849c753557d5cb681b9f181580cfacb5ac07c278b57fb63f4d49bcef", "aggregated_count": 112}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 87744, "scanner": "repobility-threat-engine", "fingerprint": "df9d8d7501764b330e6183777e061f2f1049da684287a64d4ff44e5cf23f9291", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df9d8d7501764b330e6183777e061f2f1049da684287a64d4ff44e5cf23f9291"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/evaluation/EvaluationRunner.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 87743, "scanner": "repobility-threat-engine", "fingerprint": "a6e1be8ed8ed815b0d42fc6ba12778a192c7117c0f7691efb996feb6c5d04f07", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a6e1be8ed8ed815b0d42fc6ba12778a192c7117c0f7691efb996feb6c5d04f07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/evaluation/EvaluationRunTracerLlama.ts"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 87742, "scanner": "repobility-threat-engine", "fingerprint": "6edae11deed87d21336b5ba11a7dd2f77230633879477bafc176d4a42d95d9fb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6edae11deed87d21336b5ba11a7dd2f77230633879477bafc176d4a42d95d9fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/evaluation/EvaluationRunTracer.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 99 more): Same pattern found in 99 additional files. Review if needed."}, "properties": {"repobilityId": 87740, "scanner": "repobility-threat-engine", "fingerprint": "09266d640a23531fd88ca0c39091fe0e67944c86179b7917190ac4146032372d", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 99 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 99 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|09266d640a23531fd88ca0c39091fe0e67944c86179b7917190ac4146032372d"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 30 more): Same pattern found in 30 additional files. Review if needed."}, "properties": {"repobilityId": 87738, "scanner": "repobility-threat-engine", "fingerprint": "083c83d3dbef3a6ec3bd0e13c37238fca8e9a4f708de1c372301f0d80a845d42", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 30 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|083c83d3dbef3a6ec3bd0e13c37238fca8e9a4f708de1c372301f0d80a845d42", "aggregated_count": 30}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 87737, "scanner": "repobility-threat-engine", "fingerprint": "39431115aa89380d03ece7b1a2d8c667b3b81bfcb68d26fd4c0577dd617988e4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39431115aa89380d03ece7b1a2d8c667b3b81bfcb68d26fd4c0577dd617988e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/observe/src/features/executions/components/NodeExecutionDetail.tsx"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 87736, "scanner": "repobility-threat-engine", "fingerprint": "5b60723dbe5efbfb1d22398873b5686c96ccccac3c3d4c065634929f09446757", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5b60723dbe5efbfb1d22398873b5686c96ccccac3c3d4c065634929f09446757"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/observe/src/atoms/JsonBlock.tsx"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 87735, "scanner": "repobility-threat-engine", "fingerprint": "0705bebf288ed32e6a6b017c491cd4912eaac6ca6317463bb9de148e11f65958", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0705bebf288ed32e6a6b017c491cd4912eaac6ca6317463bb9de148e11f65958"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/features/node-editor/ConfigInput.tsx"}, "region": {"startLine": 221}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 87734, "scanner": "repobility-threat-engine", "fingerprint": "133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "aggregated_count": 4}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 87733, "scanner": "repobility-threat-engine", "fingerprint": "d9cae4e0107bda958f6862fe2858fdc3a238217f613ed9cc38830f9207673ef6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d9cae4e0107bda958f6862fe2858fdc3a238217f613ed9cc38830f9207673ef6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/tools/MCP/Teradata/TeradataMCP.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 87732, "scanner": "repobility-threat-engine", "fingerprint": "e93e1a9259242961c9feb305e9e890d3e8feace42015eea392c4278681b20563", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e93e1a9259242961c9feb305e9e890d3e8feace42015eea392c4278681b20563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/tools/Arxiv/core.ts"}, "region": {"startLine": 132}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 87731, "scanner": "repobility-threat-engine", "fingerprint": "a65ad7ae28b807c213cedcabefc00e7a4ee8e9a5e185d5d70ef19575a3481706", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a65ad7ae28b807c213cedcabefc00e7a4ee8e9a5e185d5d70ef19575a3481706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/features/canvas/containers/AgentFlowEdge.tsx"}, "region": {"startLine": 145}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 87730, "scanner": "repobility-threat-engine", "fingerprint": "a884d8b9c9b37af90da357b7c75eca50333b5b114663c3dfe3363f9ee69163f2", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a884d8b9c9b37af90da357b7c75eca50333b5b114663c3dfe3363f9ee69163f2"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 87721, "scanner": "repobility-threat-engine", "fingerprint": "f0f1912fabc03e8b42b281439b24cb65b4b95c00e24de98dbc05ebdccb4b8c1d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f0f1912fabc03e8b42b281439b24cb65b4b95c00e24de98dbc05ebdccb4b8c1d"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 87717, "scanner": "repobility-threat-engine", "fingerprint": "c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 87713, "scanner": "repobility-threat-engine", "fingerprint": "2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2a90f201efe0fa0c5dec20cc574f41ea779c24e8a2731e92a392ebdb37082c00"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 87709, "scanner": "repobility-threat-engine", "fingerprint": "86cf3940d58bbc0712ef331aed9f07b66b84763fff2d4533641325f3d1d67673", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|86cf3940d58bbc0712ef331aed9f07b66b84763fff2d4533641325f3d1d67673"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/ui/src/ui-component/safe/SafeHTML.jsx"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 87708, "scanner": "repobility-threat-engine", "fingerprint": "e073d056214b6cd8298e99cab0710215e4ebcad3f41695c4b5dfe68395aa1de5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e073d056214b6cd8298e99cab0710215e4ebcad3f41695c4b5dfe68395aa1de5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/examples/src/TestRunDialog.tsx"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 87707, "scanner": "repobility-threat-engine", "fingerprint": "8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8d382f1a9011e34b41d4813c5064868da88d0861c3460c6e680d07ddd9a72035", "aggregated_count": 12}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 87706, "scanner": "repobility-threat-engine", "fingerprint": "57e0f4d9293c0669db0bec141ee8dc512be5cd2504ee7056733d4929356d08eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|57e0f4d9293c0669db0bec141ee8dc512be5cd2504ee7056733d4929356d08eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/VariablePicker.tsx"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 87705, "scanner": "repobility-threat-engine", "fingerprint": "081637e771b852ca37665d5a801fe5c5da88fd96cabccbe883eebec2b9677587", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|081637e771b852ca37665d5a801fe5c5da88fd96cabccbe883eebec2b9677587"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/VariableInput.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 87704, "scanner": "repobility-threat-engine", "fingerprint": "3531c31e850b411b9dbdcfd2b04761c24c81dc20b7099e7def80b5ac9213428a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3531c31e850b411b9dbdcfd2b04761c24c81dc20b7099e7def80b5ac9213428a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/examples/src/TestRunDialog.tsx"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 87703, "scanner": "repobility-threat-engine", "fingerprint": "69d9e44f7e0f30cff2e6e44b2ffbc20744e5dd14f981dbf4b310ea9819e3e23a", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|41|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/examples/src/TestRunDialog.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 76 more): Same pattern found in 76 additional files. Review if needed."}, "properties": {"repobilityId": 87702, "scanner": "repobility-threat-engine", "fingerprint": "48f10328959a5eb71b247cd31ed1b0107fd3648478def74980c9c54f093d11a4", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 76 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|48f10328959a5eb71b247cd31ed1b0107fd3648478def74980c9c54f093d11a4", "aggregated_count": 76}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 87701, "scanner": "repobility-threat-engine", "fingerprint": "667548e7656ce511f5ec8b4161898209c197bc7e148776398024e812fb156aeb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|667548e7656ce511f5ec8b4161898209c197bc7e148776398024e812fb156aeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/examples/src/demos/CustomUIExample.tsx"}, "region": {"startLine": 248}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 87700, "scanner": "repobility-threat-engine", "fingerprint": "99d1edbbbc853a8f9e1c91e1d6f655d93cc9e589afc1365e9c9e037a27a3753a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|99d1edbbbc853a8f9e1c91e1d6f655d93cc9e589afc1365e9c9e037a27a3753a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/examples/src/demos/BasicExample.tsx"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 87699, "scanner": "repobility-threat-engine", "fingerprint": "09c072737a0353db89e4c3073ec10581fdd3f71d5ccc674fb3a4a8ee470f98d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09c072737a0353db89e4c3073ec10581fdd3f71d5ccc674fb3a4a8ee470f98d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/worker/healthcheck/healthcheck.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 87698, "scanner": "repobility-threat-engine", "fingerprint": "5b220fbbcc5595f790c3c8a72a3eb99e3ab75cd2a6fa3d88c2a598ac73068a2d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5b220fbbcc5595f790c3c8a72a3eb99e3ab75cd2a6fa3d88c2a598ac73068a2d", "aggregated_count": 2}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 87697, "scanner": "repobility-threat-engine", "fingerprint": "ef1d88f4077d60b7eb9e452b894194b550ef252ecaf9bc9cd67a401865a9dbd9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef1d88f4077d60b7eb9e452b894194b550ef252ecaf9bc9cd67a401865a9dbd9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/commands/base.ts"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 87696, "scanner": "repobility-threat-engine", "fingerprint": "9862dbe7e0a3fd159137ec3dd713214596d76102e40c7f3698c7f08f5fea0ee0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9862dbe7e0a3fd159137ec3dd713214596d76102e40c7f3698c7f08f5fea0ee0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/worker/docker-compose.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 87695, "scanner": "repobility-threat-engine", "fingerprint": "d7adcc963b15e462b0686cf8c1abfe970602243e6339049cdaf73e4a94fd0cba", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7adcc963b15e462b0686cf8c1abfe970602243e6339049cdaf73e4a94fd0cba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/docker-compose.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87919, "scanner": "repobility-supply-chain", "fingerprint": "d73baaa9cd93470db0acbfaeb6f6aff9956804cf893b55334f8ddd50437edb18", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d73baaa9cd93470db0acbfaeb6f6aff9956804cf893b55334f8ddd50437edb18"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_docker_build.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87918, "scanner": "repobility-supply-chain", "fingerprint": "2cdadf72d4c2854504a8a31bded0e3e59667ccf9b0844daa44bb627307d93377", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2cdadf72d4c2854504a8a31bded0e3e59667ccf9b0844daa44bb627307d93377"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-image-dockerhub.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/amazon-ecr-login` pinned to mutable ref `@v2`: `uses: aws-actions/amazon-ecr-login@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87917, "scanner": "repobility-supply-chain", "fingerprint": "eaa5fad3b29fdfe6c60b8bac7ebc1811e9db37cb1eab4700625da9ad625d525e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eaa5fad3b29fdfe6c60b8bac7ebc1811e9db37cb1eab4700625da9ad625d525e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-image-ecr.yml"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/checkout@v6.0.2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87916, "scanner": "repobility-supply-chain", "fingerprint": "d0879967b3ed8ca3ab171f4c2f5750938721b214e61b7cd616e5f4dedff62b87", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0879967b3ed8ca3ab171f4c2f5750938721b214e61b7cd616e5f4dedff62b87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/docker-image-ecr.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cypress-io/github-action` pinned to mutable ref `@v7.1.5`: `uses: cypress-io/github-action@v7.1.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87915, "scanner": "repobility-supply-chain", "fingerprint": "cf3e729c6c9fa8bae9173b9aa691156e4c52ad4fb9e19d8474f448d83766d3c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cf3e729c6c9fa8bae9173b9aa691156e4c52ad4fb9e19d8474f448d83766d3c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cypress-io/github-action` pinned to mutable ref `@v7.1.5`: `uses: cypress-io/github-action@v7.1.5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87914, "scanner": "repobility-supply-chain", "fingerprint": "c8cfce4f9eefd19a3bdb3cda5d15b047ccbb0e9d1d52f7552cbd0ab581600e3e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8cfce4f9eefd19a3bdb3cda5d15b047ccbb0e9d1d52f7552cbd0ab581600e3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87913, "scanner": "repobility-supply-chain", "fingerprint": "7e439b876807b77eccbd2b16fbc3ad68df3aaa2ae5b8df4d5f1b5ae509b1861f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e439b876807b77eccbd2b16fbc3ad68df3aaa2ae5b8df4d5f1b5ae509b1861f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87912, "scanner": "repobility-supply-chain", "fingerprint": "5c52b4a78b12ff4127395b38b9989386bc4a685a7e55feec0f234c266525de20", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c52b4a78b12ff4127395b38b9989386bc4a685a7e55feec0f234c266525de20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87911, "scanner": "repobility-supply-chain", "fingerprint": "0cadfd73ad1fb6c7a616115efa9e507c0f1593f38da8efb942945ca21f964a23", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0cadfd73ad1fb6c7a616115efa9e507c0f1593f38da8efb942945ca21f964a23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/main.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87910, "scanner": "repobility-supply-chain", "fingerprint": "e3eeb69e74a95eb31a6f5b34c2f902bba71e9c08fb6ceafd7b7c7bffffbd64af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3eeb69e74a95eb31a6f5b34c2f902bba71e9c08fb6ceafd7b7c7bffffbd64af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/proprietary-path-guard.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87909, "scanner": "repobility-supply-chain", "fingerprint": "ebdd440139ffa2c187f550611e767165e8f3be3fd18628c90c114aa1498c11b4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ebdd440139ffa2c187f550611e767165e8f3be3fd18628c90c114aa1498c11b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-package.yml"}, "region": {"startLine": 128}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87908, "scanner": "repobility-supply-chain", "fingerprint": "15413dd1cfac52423cfcc7b786079e05f58b77b56045f47f015d4d08897cf46a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|15413dd1cfac52423cfcc7b786079e05f58b77b56045f47f015d4d08897cf46a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-package.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87907, "scanner": "repobility-supply-chain", "fingerprint": "cd3ec2eeee96290f63050544ef1a6794f390bcd7c255c9754b5f3faecd52f3d0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd3ec2eeee96290f63050544ef1a6794f390bcd7c255c9754b5f3faecd52f3d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-package.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87906, "scanner": "repobility-supply-chain", "fingerprint": "d67588f3685a7a04626e05c274e25e77024ce4b148de3ef0d5e277b65b2c15ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d67588f3685a7a04626e05c274e25e77024ce4b148de3ef0d5e277b65b2c15ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-package.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v6`: `uses: pnpm/action-setup@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87905, "scanner": "repobility-supply-chain", "fingerprint": "e39552b2b6013377e9599c62ac47481cbc76db4c845a8e95584e3cdcd74a3afc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e39552b2b6013377e9599c62ac47481cbc76db4c845a8e95584e3cdcd74a3afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-package.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 87904, "scanner": "repobility-supply-chain", "fingerprint": "d016716de1c246239b56dc5d20d902b465dd404fc7f9bbd37605d2ca900d28cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d016716de1c246239b56dc5d20d902b465dd404fc7f9bbd37605d2ca900d28cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish-package.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `artifactory.workday.com`: `package-lock.json` resolved URL for `node_modules/@babel/code-frame` is `https://artifactory.workday.com/artifactory/api/npm/npm-virtual/@babel/code-fram...` \u2014 host `artifactory.workday.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 87903, "scanner": "repobility-supply-chain", "fingerprint": "08a576fca34ab9542a96431e30d6cffc4ece8ef6126890454c4f4bfa9d108810", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|08a576fca34ab9542a96431e30d6cffc4ece8ef6126890454c4f4bfa9d108810"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/observe/examples/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED130", "level": "error", "message": {"text": "[MINED130] Lockfile pulls package from off-canonical host `artifactory.workday.com`: `package-lock.json` resolved URL for `node_modules/@babel/code-frame` is `https://artifactory.workday.com/artifactory/api/npm/npm-virtual/@babel/code-fram...` \u2014 host `artifactory.workday.com` is not the canonical registry. Could be a mirror compromise, dependency confusion attack, or a forgotten private registry."}, "properties": {"repobilityId": 87902, "scanner": "repobility-supply-chain", "fingerprint": "254eaf5425e95178ab1cfad1802e8269d258e23767eae0797e251421bed65109", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-lockfile-off-registry", "owasp": null, "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|254eaf5425e95178ab1cfad1802e8269d258e23767eae0797e251421bed65109"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/examples/package-lock.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 87901, "scanner": "repobility-supply-chain", "fingerprint": "a412aff9733620981f1a530dbb74fbefddb7fc39d085c0a781bc805ff6762bd4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a412aff9733620981f1a530dbb74fbefddb7fc39d085c0a781bc805ff6762bd4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/worker/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 87900, "scanner": "repobility-supply-chain", "fingerprint": "f14e746b59e953656f7e56a210c7199a5f7ac6c0931c1fbfac4ca753415c0549", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f14e746b59e953656f7e56a210c7199a5f7ac6c0931c1fbfac4ca753415c0549"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `node:24-alpine` not pinned by digest: `FROM node:24-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 87899, "scanner": "repobility-supply-chain", "fingerprint": "258ddb4faebf0a39d13e08d2200346fb69f9bcad2815ad86df0eb664451339fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|258ddb4faebf0a39d13e08d2200346fb69f9bcad2815ad86df0eb664451339fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT / has no auth: Express route PUT / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87898, "scanner": "repobility-route-auth", "fingerprint": "08ed484fc1bdfa022bc1b46cd774b96a94282bb00c7888429ae9a0587bbf100c", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|08ed484fc1bdfa022bc1b46cd774b96a94282bb00c7888429ae9a0587bbf100c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/workspace.route.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /switch has no auth: Express route POST /switch declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87897, "scanner": "repobility-route-auth", "fingerprint": "a8de586aa1103a3d00b62aec7af665e49efe1a9bf87dfd41d1c8b29f9af322fe", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|a8de586aa1103a3d00b62aec7af665e49efe1a9bf87dfd41d1c8b29f9af322fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/workspace.route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87896, "scanner": "repobility-route-auth", "fingerprint": "b669c64e779d145e8705c82a3b0aefba5cf2ef9cd556633ab2026cc4802681b6", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b669c64e779d145e8705c82a3b0aefba5cf2ef9cd556633ab2026cc4802681b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/workspace.route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE / has no auth: Express route DELETE / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87895, "scanner": "repobility-route-auth", "fingerprint": "6049e2dfe1afcdbcd8269616aa800ae06c4cc4702ef40e5fcf3d3bd1eca996d0", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6049e2dfe1afcdbcd8269616aa800ae06c4cc4702ef40e5fcf3d3bd1eca996d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/workspace-user.route.ts"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT / has no auth: Express route PUT / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87894, "scanner": "repobility-route-auth", "fingerprint": "6c314bdb4fe691f79fee215b15c129e0f0cf3f9eda51f57a30009a8b1133b6b5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|6c314bdb4fe691f79fee215b15c129e0f0cf3f9eda51f57a30009a8b1133b6b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/workspace-user.route.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87893, "scanner": "repobility-route-auth", "fingerprint": "76a7aa4590381e383f2013f66da2dc0ee939cdd1d12b0dc083c89d869f0c55c2", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|76a7aa4590381e383f2013f66da2dc0ee939cdd1d12b0dc083c89d869f0c55c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/workspace-user.route.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE / has no auth: Express route DELETE / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87892, "scanner": "repobility-route-auth", "fingerprint": "ec9e0c6ea698a624ec5d629f5102d85a6ba6b98a2bf2db23455ee1bd34d79273", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|ec9e0c6ea698a624ec5d629f5102d85a6ba6b98a2bf2db23455ee1bd34d79273"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/role.route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT / has no auth: Express route PUT / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87891, "scanner": "repobility-route-auth", "fingerprint": "914b345d2e299c82af4f7bea7952ddbe3f139eeef6489f42316dee516d3c4fb9", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|914b345d2e299c82af4f7bea7952ddbe3f139eeef6489f42316dee516d3c4fb9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/role.route.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87890, "scanner": "repobility-route-auth", "fingerprint": "b14aed53df46d968b03bcd5c0cb18e2292c21ccc8458a6800af10b50886586d5", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|b14aed53df46d968b03bcd5c0cb18e2292c21ccc8458a6800af10b50886586d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/role.route.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE / has no auth: Express route DELETE / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87889, "scanner": "repobility-route-auth", "fingerprint": "4756c00c1e2a8cfa718b7d9fdaa302fc17f02bc47a6e42f5df8057ba8d5ae376", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|4756c00c1e2a8cfa718b7d9fdaa302fc17f02bc47a6e42f5df8057ba8d5ae376"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/organization-user.route.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT / has no auth: Express route PUT / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87888, "scanner": "repobility-route-auth", "fingerprint": "7ac8cde34e58af0d1a1dfd98a96ceda19ae33a0534c3170dbf0c23dac16fea34", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7ac8cde34e58af0d1a1dfd98a96ceda19ae33a0534c3170dbf0c23dac16fea34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/organization-user.route.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87887, "scanner": "repobility-route-auth", "fingerprint": "3cf3ff73a6839ea7bcfd7d02db678c87dfccc253b3179506ee5a8f36e3209175", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|3cf3ff73a6839ea7bcfd7d02db678c87dfccc253b3179506ee5a8f36e3209175"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/organization-user.route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express DELETE /delete has no auth: Express route DELETE /delete declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87886, "scanner": "repobility-route-auth", "fingerprint": "bd75fbfeba2685eb9b7c1b948627b2a40b13b87990c54b677ad7d9eaea577986", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|bd75fbfeba2685eb9b7c1b948627b2a40b13b87990c54b677ad7d9eaea577986"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /billing has no auth: Express route POST /billing declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87885, "scanner": "repobility-route-auth", "fingerprint": "8d3d6ba46f1e4689462b005ebab87da53ede874f713c15d24dc3ef332d363463", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|8d3d6ba46f1e4689462b005ebab87da53ede874f713c15d24dc3ef332d363463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /reset-password has no auth: Express route POST /reset-password declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87884, "scanner": "repobility-route-auth", "fingerprint": "37c063718c2572c82146ab4c4eaeca97a4a89c7b8a00d77a8adebd31a7b3629a", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|37c063718c2572c82146ab4c4eaeca97a4a89c7b8a00d77a8adebd31a7b3629a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /forgot-password has no auth: Express route POST /forgot-password declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87883, "scanner": "repobility-route-auth", "fingerprint": "7caa1d7f8fbd164f5822020ff5cb17e1592e6ae0578e2bf89366f92e0cfd7679", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7caa1d7f8fbd164f5822020ff5cb17e1592e6ae0578e2bf89366f92e0cfd7679"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /resend-verification has no auth: Express route POST /resend-verification declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87882, "scanner": "repobility-route-auth", "fingerprint": "61d5c03606570291afde38e998e02321cc44b3c8528d79961cabe070b055c084", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|61d5c03606570291afde38e998e02321cc44b3c8528d79961cabe070b055c084"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /confirm-email-change has no auth: Express route POST /confirm-email-change declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87881, "scanner": "repobility-route-auth", "fingerprint": "711f2f8ec9d4696f11f1e71fc849ce9d4bb85720413dd3b9728f5f616870916f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|711f2f8ec9d4696f11f1e71fc849ce9d4bb85720413dd3b9728f5f616870916f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /verify has no auth: Express route POST /verify declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87880, "scanner": "repobility-route-auth", "fingerprint": "2814bb9423db4a00a2dcb1595a7b81cb40a5e83346ae5930996c61cfd04a7c32", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2814bb9423db4a00a2dcb1595a7b81cb40a5e83346ae5930996c61cfd04a7c32"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /logout has no auth: Express route POST /logout declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87879, "scanner": "repobility-route-auth", "fingerprint": "61b1cd2322c4848b9be74802a677076191ebe766b42e50c6cba5fa36eb251585", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|61b1cd2322c4848b9be74802a677076191ebe766b42e50c6cba5fa36eb251585"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /invite has no auth: Express route POST /invite declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87878, "scanner": "repobility-route-auth", "fingerprint": "2caa9c26c16ad0900594c443c74b007522e02b5f7ce5cb83cf7b7e32fc33b456", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|2caa9c26c16ad0900594c443c74b007522e02b5f7ce5cb83cf7b7e32fc33b456"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /register has no auth: Express route POST /register declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87877, "scanner": "repobility-route-auth", "fingerprint": "5e0849651f55b5563bfb89a75eb52b6db998f54fd386a933d1c9e56b698c6513", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|5e0849651f55b5563bfb89a75eb52b6db998f54fd386a933d1c9e56b698c6513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/account.route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST /test has no auth: Express route POST /test declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87876, "scanner": "repobility-route-auth", "fingerprint": "f9384c9435b2f8f205a16c35223f666b0417a0a3585ee847b6ba796ed606f1d4", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|f9384c9435b2f8f205a16c35223f666b0417a0a3585ee847b6ba796ed606f1d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/login-method.route.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express PUT / has no auth: Express route PUT / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87875, "scanner": "repobility-route-auth", "fingerprint": "7c11f5744bb0c3ea6c8e0cb11b32d2ef3d229c60aa2daa136f186341c6f362ea", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|7c11f5744bb0c3ea6c8e0cb11b32d2ef3d229c60aa2daa136f186341c6f362ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/login-method.route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED113", "level": "error", "message": {"text": "[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A01:2021 broken access control."}, "properties": {"repobilityId": 87874, "scanner": "repobility-route-auth", "fingerprint": "9adb44a9d56d73861aa76248dc1c44c5273d14e897f68cd7c0e8adda7f061d3f", "category": "quality", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "express-destructive-unauth", "owasp": "A01:2021", "cwe_ids": ["CWE-306", "CWE-862"], "languages": ["python", "javascript"], "observations_count": 7836}, "scanner": "repobility-route-auth", "correlation_key": "fp|9adb44a9d56d73861aa76248dc1c44c5273d14e897f68cd7c0e8adda7f061d3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/routes/login-method.route.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 87873, "scanner": "repobility-journey-contract", "fingerprint": "b30f57c0f9c03ac837d4630c8675f65e0ff6371177f7cfdb88da0f1866b0304d", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|153|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 0}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/tools/GoogleDrive/GoogleDrive.ts"}, "region": {"startLine": 153}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /:id."}, "properties": {"repobilityId": 87839, "scanner": "repobility-access-control", "fingerprint": "1a221f197662894b642d75d11e90b4a9429ea8b4054ee6f2a0848333485921a2", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:id", "method": "GET", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|6|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/validation/index.ts"}, "region": {"startLine": 6}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /:chatflowId/:chatId."}, "properties": {"repobilityId": 87838, "scanner": "repobility-access-control", "fingerprint": "f9458d6ae460af70a98e1154231623665e81dd4b2e9f9e77a05dd46162a3cfd5", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/:chatflowId/:chatId", "method": "POST", "scanner": "repobility-access-control", "framework": "Express", "correlation_key": "code|auth|token|8|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/routes/attachments/index.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 87780, "scanner": "repobility-threat-engine", "fingerprint": "3f4a61f57e8de81f8e3e726cfdd6805d41f0798fe9ee5b5a681606fa056bd0a6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f4a61f57e8de81f8e3e726cfdd6805d41f0798fe9ee5b5a681606fa056bd0a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/utils/signatureVerification.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED028", "level": "error", "message": {"text": "[MINED028] Ts Ignore Comment: // @ts-ignore silences all type errors on the next line."}, "properties": {"repobilityId": 87766, "scanner": "repobility-threat-engine", "fingerprint": "6404edbc7871af145a24a42a0bb9d82a3c87ee4f02db98d05c9cac4279d339aa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-ignore-comment", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347964+00:00", "triaged_in_corpus": 15, "observations_count": 9364, "ai_coder_pattern_id": 99}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6404edbc7871af145a24a42a0bb9d82a3c87ee4f02db98d05c9cac4279d339aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/documentloaders/Folder/Folder.ts"}, "region": {"startLine": 159}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 87756, "scanner": "repobility-threat-engine", "fingerprint": "8f18c09dc023fe3e6dcd2bf7b5fa8159b092e6cd20fcc47bb08781286909a17c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f18c09dc023fe3e6dcd2bf7b5fa8159b092e6cd20fcc47bb08781286909a17c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 87755, "scanner": "repobility-threat-engine", "fingerprint": "d6bc8fda64be85eb3fbbbad5689dcc07b3e2141835eff2f7f5510368d112849b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6bc8fda64be85eb3fbbbad5689dcc07b3e2141835eff2f7f5510368d112849b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED014", "level": "error", "message": {"text": "[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go."}, "properties": {"repobilityId": 87754, "scanner": "repobility-threat-engine", "fingerprint": "c60dbc270f3da27142c73a847d80c94ccc9e1faf2aeb4d5a2be99315cea5b838", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "disabled-tls-verify", "owasp": "A02:2021", "cwe_ids": ["CWE-295"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347930+00:00", "triaged_in_corpus": 15, "observations_count": 86916, "ai_coder_pattern_id": 16}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c60dbc270f3da27142c73a847d80c94ccc9e1faf2aeb4d5a2be99315cea5b838"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/cache/RedisCache/RedisCache.ts"}, "region": {"startLine": 122}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 87752, "scanner": "repobility-threat-engine", "fingerprint": "5393be2c9920e5de48ebe0a0e8c83902c09f913eba1a8ca7ff3443130cd6f498", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((kv) => `- ${kv[0]}: ${kv[1]}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5393be2c9920e5de48ebe0a0e8c83902c09f913eba1a8ca7ff3443130cd6f498"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/documentloaders/MicrosoftExcel/ExcelLoader.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 87751, "scanner": "repobility-threat-engine", "fingerprint": "edd32c0b2a888a1c556380e7a62bd832d44b9c436addaa3b7857834bbbc14a3d", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((key) => `${key.trim() || '_0'}: ${row[key]?.trim()}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|edd32c0b2a888a1c556380e7a62bd832d44b9c436addaa3b7857834bbbc14a3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/documentloaders/Csv/CsvLoader.ts"}, "region": {"startLine": 72}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 87750, "scanner": "repobility-threat-engine", "fingerprint": "3032e50f6d29ca2a2e69c414576183d366904f3bd0af599cb42d4ed5512169c7", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((tool: Tool) => `${tool.name}: ${tool.description}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3032e50f6d29ca2a2e69c414576183d366904f3bd0af599cb42d4ed5512169c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/agents/XMLAgent/XMLAgent.ts"}, "region": {"startLine": 269}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87729, "scanner": "repobility-threat-engine", "fingerprint": "a72c7d320a34b627a915f4dac0f6aa77ee4dbbcb76462b2c5fc8232c08a9ee1a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a72c7d320a34b627a915f4dac0f6aa77ee4dbbcb76462b2c5fc8232c08a9ee1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/documentloaders/Spider/Spider.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87728, "scanner": "repobility-threat-engine", "fingerprint": "95a3a15f9516b3d5a1b4738430d565e59630558d9a436f18acd5de0a6c7d23bb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url (e", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95a3a15f9516b3d5a1b4738430d565e59630558d9a436f18acd5de0a6c7d23bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/documentloaders/Github/Github.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 87727, "scanner": "repobility-threat-engine", "fingerprint": "44e92ace2708dee7acf10c0e53135bed7c5e2f14673b3a96b1bcaef334df1099", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(b", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|44e92ace2708dee7acf10c0e53135bed7c5e2f14673b3a96b1bcaef334df1099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/features/canvas/components/AgentflowHeader.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 87726, "scanner": "repobility-threat-engine", "fingerprint": "2fa959e6e2785445fba8ac270dd789e088515e471593c37b8f7c193733e2585b", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[input.name] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2fa959e6e2785445fba8ac270dd789e088515e471593c37b8f7c193733e2585b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/services/mcp-endpoint/index.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "SEC033", "level": "error", "message": {"text": "[SEC033] Prototype Pollution \u2014 unfiltered merge of user object: Merging user-controlled object into a target without filtering `__proto__`/`constructor`/`prototype` keys lets attackers inject properties onto Object.prototype, affecting every object in the process. CWE-1321. Real-world: CVE-2019-10744 (lodash), CVE-2021-23337 (lodash.set), CVE-2023-26136 (tough-cookie)."}, "properties": {"repobilityId": 87725, "scanner": "repobility-threat-engine", "fingerprint": "73175415ec445c90aa59aecfaf7b94fe7433b98482dd3649c615e470a1c92ab0", "category": "prototype_pollution", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "[input.name] =", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC033", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|73175415ec445c90aa59aecfaf7b94fe7433b98482dd3649c615e470a1c92ab0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/core/utils/nodeFactory.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 87724, "scanner": "repobility-threat-engine", "fingerprint": "0503d1111f930a9d8aa2b9997404d1b4120788018c9ca1a4943dacfc4b101462", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(url", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0503d1111f930a9d8aa2b9997404d1b4120788018c9ca1a4943dacfc4b101462"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/utils/logger.ts"}, "region": {"startLine": 95}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 87723, "scanner": "repobility-threat-engine", "fingerprint": "86b5ec92077e0e5c9534c021ab4618d88b62e386c696d5e0010637300121470c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(TOKEN_REGEX", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|86b5ec92077e0e5c9534c021ab4618d88b62e386c696d5e0010637300121470c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/observe/src/core/primitives/json.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 87722, "scanner": "repobility-threat-engine", "fingerprint": "a5a1705c6968c8285fd0bb45da6d8f99a9a65635a37d3f54560263363e192cab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a5a1705c6968c8285fd0bb45da6d8f99a9a65635a37d3f54560263363e192cab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/core/utils/fieldVisibility.ts"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 87720, "scanner": "repobility-threat-engine", "fingerprint": "a338bb0a5fb3f21d05ca3f294fbc73dcdc5371efc0fa30b06280f08d3fbca238", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(entry", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a338bb0a5fb3f21d05ca3f294fbc73dcdc5371efc0fa30b06280f08d3fbca238"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/tools/Arxiv/core.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 87719, "scanner": "repobility-threat-engine", "fingerprint": "47b1a59c5144243c83a9766c0ad0b028aafb12578d299e500d4c2eda07382611", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|47b1a59c5144243c83a9766c0ad0b028aafb12578d299e500d4c2eda07382611"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/core/utils/variableUtils.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 87718, "scanner": "repobility-threat-engine", "fingerprint": "52e07492a44d19318e925eb5e32aefbffa6dfccd2033b268f75f326b474bfa99", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(unescaped", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|52e07492a44d19318e925eb5e32aefbffa6dfccd2033b268f75f326b474bfa99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/utils/xmlTagUtils.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87712, "scanner": "repobility-threat-engine", "fingerprint": "bcf61d64cc621fe69096837b62e5da3dc422b24ab02fbba75c3c9fd04d8071bd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "EvaluationRunTracerLlama.startTimes.delete(evalID + '_' + label)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bcf61d64cc621fe69096837b62e5da3dc422b24ab02fbba75c3c9fd04d8071bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/evaluation/EvaluationRunTracerLlama.ts"}, "region": {"startLine": 150}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87711, "scanner": "repobility-threat-engine", "fingerprint": "56ab17f39a6009ed4eba7529ed98077984e671484173a26a963b2096c5398fb1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cache.delete(key)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|56ab17f39a6009ed4eba7529ed98077984e671484173a26a963b2096c5398fb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/infrastructure/api/deduplicatedClient.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 87710, "scanner": "repobility-threat-engine", "fingerprint": "a8d47254482a22c17f938260d93edf3588fddc40467f67c384d965c08a804e3d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "latestContentRef.current.delete(effectiveKeys[indexToDelete])", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a8d47254482a22c17f938260d93edf3588fddc40467f67c384d965c08a804e3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agentflow/src/atoms/MessagesInput.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 87857, "scanner": "repobility-journey-contract", "fingerprint": "7eb730d66bfb27d14eaaa9b59dc6ea1ce1e83d3be2d8484a066fa3790f7afa05", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|token|289|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/enterprise/middleware/passport/index.ts"}, "region": {"startLine": 289}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 87773, "scanner": "repobility-threat-engine", "fingerprint": "1ec12ab7750ff7aaf4d42acc4a40c7f1918ee2365ad41553e26dc75c5040bfc7", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(file", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1ec12ab7750ff7aaf4d42acc4a40c7f1918ee2365ad41553e26dc75c5040bfc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/server/src/NodesPool.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 87760, "scanner": "repobility-threat-engine", "fingerprint": "6568e2e4777d8e8109c23f33c2c7d9e8ae82ba9c695b2241c5fabe13f30fb56c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6568e2e4777d8e8109c23f33c2c7d9e8ae82ba9c695b2241c5fabe13f30fb56c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/chains/ApiChain/postCore.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 87759, "scanner": "repobility-threat-engine", "fingerprint": "cce3adea06e237f9dfe5a65fd2f7ab752aa45812cd099c75d44ce1ab0186d0c6", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cce3adea06e237f9dfe5a65fd2f7ab752aa45812cd099c75d44ce1ab0186d0c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/chains/ApiChain/POSTApiChain.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 87758, "scanner": "repobility-threat-engine", "fingerprint": "6a39d2c62fc2937c0fd66d05ea4633b4b5e33c20b1895f32d9c3e6e373746757", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a39d2c62fc2937c0fd66d05ea4633b4b5e33c20b1895f32d9c3e6e373746757"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/components/nodes/chains/ApiChain/GETApiChain.ts"}, "region": {"startLine": 121}}}]}]}]}