{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "AGT006", "name": "React interval is created without an explicit cleanup", "shortDescription": {"text": "React interval is created without an explicit cleanup"}, "fullDescription": {"text": "Store the interval id and return a useEffect cleanup that calls clearInterval. Also clear the interval in explicit stop/end handlers when relevant."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AUC005", "name": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or sup", "shortDescription": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "fullDescription": {"text": "Add regression tests for anonymous denial, cross-user object denial, admin role limits, and super_admin-only behavior."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "low", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.", "shortDescription": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or neve", "shortDescription": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.BRAINTRUST_STAGING_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.BRAINTRUST_STAGING_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BRAINTRUST_STAGING_PROJECT_ID }` lets a PR fro"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/763"}, "properties": {"repository": "supabase/supabase", "repoUrl": "https://github.com/supabase/supabase", "branch": "master"}, "results": [{"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 63544, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "AGT006", "level": "warning", "message": {"text": "React interval is created without an explicit cleanup"}, "properties": {"repobilityId": 63543, "scanner": "repobility-agent-runtime", "fingerprint": "e13713d3a051ead8efb476a970b76f7c584b075c68fa9850020384a00dbc9033", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File uses setInterval with useEffect or hook-style code and no clearInterval cleanup was found.", "evidence": {"rule_id": "AGT006", "scanner": "repobility-agent-runtime", "references": ["https://react.dev/reference/react/useEffect"], "correlation_key": "fp|e13713d3a051ead8efb476a970b76f7c584b075c68fa9850020384a00dbc9033"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/example/page-layout-edge-function.tsx"}, "region": {"startLine": 293}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 63526, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 63524, "scanner": "repobility-threat-engine", "fingerprint": "4a680d5b187cf674c09530566a9786d0e226861abaf8b6ed1702ded58a920e49", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 50), // Random value 0-50\n    }\n  }).reverse()\n\n  return (\n    <div", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a680d5b187cf674c09530566a9786d0e226861abaf8b6ed1702ded58a920e49"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/example/logs-bar-chart.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC005", "level": "note", "message": {"text": "[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found."}, "properties": {"repobilityId": 63545, "scanner": "repobility-access-control", "fingerprint": "c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e", "category": "auth", "severity": "low", "confidence": 0.76, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "correlation_key": "fp|c58bb88e6682225dc480b3036f30153044953a3d94f500396678a77324e8d30e"}}}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63542, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58fa2cc09916018b57df8180a86e550af1a3be5237a0a858feb13884ce8e6821", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-basic.tsx", "duplicate_line": 55, "correlation_key": "fp|58fa2cc09916018b57df8180a86e550af1a3be5237a0a858feb13884ce8e6821"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-table.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63541, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c01bad56bafd797b4a00d471ebe8f4a5fc315c3819bcd1008f8bb904aeee3cad", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-actions.tsx", "duplicate_line": 41, "correlation_key": "fp|c01bad56bafd797b4a00d471ebe8f4a5fc315c3819bcd1008f8bb904aeee3cad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-table.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63540, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ada4002ef7beb882d362f76889d03c1b82b054f68de4c5d3bf70b79d48c870c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-table.tsx", "duplicate_line": 1, "correlation_key": "fp|8ada4002ef7beb882d362f76889d03c1b82b054f68de4c5d3bf70b79d48c870c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-table.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63539, "scanner": "repobility-ai-code-hygiene", "fingerprint": "caccabd8a0abedddc979c818d79811bb6fa0285e41b80311c9db26ecaf9d83f3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-states.tsx", "duplicate_line": 1, "correlation_key": "fp|caccabd8a0abedddc979c818d79811bb6fa0285e41b80311c9db26ecaf9d83f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-states.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63538, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ded2aa2039a20f3c0c5a7a56c63152801e7452fe783b0ba83f0ade1c2f0e65fc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-metrics.tsx", "duplicate_line": 1, "correlation_key": "fp|ded2aa2039a20f3c0c5a7a56c63152801e7452fe783b0ba83f0ade1c2f0e65fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-metrics.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63537, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b7809cdbc562680c1a0935ecf53f00c402f938f0a269837bb92ccdf4cf423310", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-actions.tsx", "duplicate_line": 55, "correlation_key": "fp|b7809cdbc562680c1a0935ecf53f00c402f938f0a269837bb92ccdf4cf423310"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-demo.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63536, "scanner": "repobility-ai-code-hygiene", "fingerprint": "692a7277c924a30f47d461efe0e17d7ffc3fd68dd321d8557e4846faad45e173", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-demo.tsx", "duplicate_line": 1, "correlation_key": "fp|692a7277c924a30f47d461efe0e17d7ffc3fd68dd321d8557e4846faad45e173"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-demo.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63535, "scanner": "repobility-ai-code-hygiene", "fingerprint": "58ad5fe1d5902439c230c48b3bb2d0eeddee206f0ab9c612faf9d1a1cf0231a2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-actions.tsx", "duplicate_line": 3, "correlation_key": "fp|58ad5fe1d5902439c230c48b3bb2d0eeddee206f0ab9c612faf9d1a1cf0231a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-basic.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63534, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45b61df130536f5df3a322d3cd19d6fa1a41ec19287b90114b29c925620df7f9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-basic.tsx", "duplicate_line": 1, "correlation_key": "fp|45b61df130536f5df3a322d3cd19d6fa1a41ec19287b90114b29c925620df7f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-basic.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63533, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6b3a99fb0c6bb9b7910fed0b45f7325ab8f79dfbd9e9a37bfcf753ec6ab5746", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-actions.tsx", "duplicate_line": 1, "correlation_key": "fp|f6b3a99fb0c6bb9b7910fed0b45f7325ab8f79dfbd9e9a37bfcf753ec6ab5746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-composed-actions.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63532, "scanner": "repobility-ai-code-hygiene", "fingerprint": "29306fbdc1bed9fce744dc4f6a7696a87aa1d73cee80b2d1491284fd861705d9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-bar-interactive.tsx", "duplicate_line": 1, "correlation_key": "fp|29306fbdc1bed9fce744dc4f6a7696a87aa1d73cee80b2d1491284fd861705d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/block/chart-bar-interactive.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63531, "scanner": "repobility-ai-code-hygiene", "fingerprint": "38f306d69561f7d2520048dd52554d7ff43267fc799008cad27e2abcc7707da1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/components/code-fragment.tsx", "duplicate_line": 4, "correlation_key": "fp|38f306d69561f7d2520048dd52554d7ff43267fc799008cad27e2abcc7707da1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/components/component-preview.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63530, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cfc49c350dafcd4e6c7530f3759e1c8ea8e3c6950651e6ca8f181a2769554b21", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-basic.tsx", "duplicate_line": 55, "correlation_key": "fp|cfc49c350dafcd4e6c7530f3759e1c8ea8e3c6950651e6ca8f181a2769554b21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/__registry__/default/block/chart-composed-table.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63529, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40408b0bdd2406f0be165c5a12508da32297ffb08b18f9341310bc4bc2988275", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-actions.tsx", "duplicate_line": 41, "correlation_key": "fp|40408b0bdd2406f0be165c5a12508da32297ffb08b18f9341310bc4bc2988275"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/__registry__/default/block/chart-composed-table.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63528, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ecac29b6464102984bb908f2693aceb9d3ef011b650a9fc57455efb6ba07d2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-actions.tsx", "duplicate_line": 55, "correlation_key": "fp|0ecac29b6464102984bb908f2693aceb9d3ef011b650a9fc57455efb6ba07d2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/__registry__/default/block/chart-composed-demo.tsx"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 63527, "scanner": "repobility-ai-code-hygiene", "fingerprint": "36b25798c3b71164269290716f02ff7edc69a386a2b2cfb0eda7822ae7cc7b13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/design-system/__registry__/default/block/chart-composed-actions.tsx", "duplicate_line": 3, "correlation_key": "fp|36b25798c3b71164269290716f02ff7edc69a386a2b2cfb0eda7822ae7cc7b13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/__registry__/default/block/chart-composed-basic.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 63525, "scanner": "repobility-threat-engine", "fingerprint": "4f6e72bf942ace5f9fdb42456392c3ca6a7411774b9c14fe7619050b5a30a8c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4f6e72bf942ace5f9fdb42456392c3ca6a7411774b9c14fe7619050b5a30a8c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/example/markdown-images.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63523, "scanner": "repobility-threat-engine", "fingerprint": "264ff5a3fbc85c596c3fa4bb54350e874fc2c16b6e44932ddc409b617b85fc97", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|264ff5a3fbc85c596c3fa4bb54350e874fc2c16b6e44932ddc409b617b85fc97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/components/icons.tsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 63522, "scanner": "repobility-threat-engine", "fingerprint": "a7536d5874bd62b7a8de056b84602c049f6c2b6c445cc80959726864a878d8d8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7536d5874bd62b7a8de056b84602c049f6c2b6c445cc80959726864a878d8d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/components/component-props.tsx"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 63521, "scanner": "repobility-threat-engine", "fingerprint": "5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5fe2cf04427df05fc0aef7cf138aa979c1fc3f2cedae48cbd068d6e07c3f09f1", "aggregated_count": 2}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 63520, "scanner": "repobility-threat-engine", "fingerprint": "818181836db5eab8e2c85e2f428da038909922a4ed6e0a893f864489d38aa471", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|818181836db5eab8e2c85e2f428da038909922a4ed6e0a893f864489d38aa471"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/components/icons.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 63519, "scanner": "repobility-threat-engine", "fingerprint": "b9e64ab7d9b11979b588cfb091d45b4d9c74c94a8aa0e9e550f97fcda90f4931", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b9e64ab7d9b11979b588cfb091d45b4d9c74c94a8aa0e9e550f97fcda90f4931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/components/component-props.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 63518, "scanner": "repobility-threat-engine", "fingerprint": "7a6891794b61ab6f5b414c4d53777737139fcc98aa9dfc2bf7036fb8370d306b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7a6891794b61ab6f5b414c4d53777737139fcc98aa9dfc2bf7036fb8370d306b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/components/colors.tsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 63517, "scanner": "repobility-threat-engine", "fingerprint": "5dbb9c9aeae4e323789e3c8382a48b9986a1c09f59fc9918e319871ba411dc73", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|5dbb9c9aeae4e323789e3c8382a48b9986a1c09f59fc9918e319871ba411dc73", "aggregated_count": 10}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63516, "scanner": "repobility-threat-engine", "fingerprint": "a9153ff4096bc051ec5c8e6ef3435dcb05fc2ee3a80ead87bfd2c27597448524", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a9153ff4096bc051ec5c8e6ef3435dcb05fc2ee3a80ead87bfd2c27597448524"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/registry/default/example/form-item-layout-after-label.tsx"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63515, "scanner": "repobility-threat-engine", "fingerprint": "b3c6fce7326b15e7473d74a0bfe23b32771c6365c0947a449d28f2e78029d0bd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b3c6fce7326b15e7473d74a0bfe23b32771c6365c0947a449d28f2e78029d0bd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/components/colors.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 63514, "scanner": "repobility-threat-engine", "fingerprint": "92af9b074a2620b92f58bb4b4cc63f8c2ae90e4d9e5fbd7081e92d6584d64d12", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|92af9b074a2620b92f58bb4b4cc63f8c2ae90e4d9e5fbd7081e92d6584d64d12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/components/color-palette.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 63513, "scanner": "repobility-threat-engine", "fingerprint": "410685243d84d8561ca61ad11ea403721013efeb1b5566cf0154df673abdc2fd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|410685243d84d8561ca61ad11ea403721013efeb1b5566cf0154df673abdc2fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/design-system/app/layout.tsx"}, "region": {"startLine": 128}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 63512, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BRAINTRUST_STAGING_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BRAINTRUST_STAGING_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63556, "scanner": "repobility-supply-chain", "fingerprint": "81bb5d579d52962d393ac1cd10504050175eefc1476037570953e86e45d7c1ba", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81bb5d579d52962d393ac1cd10504050175eefc1476037570953e86e45d7c1ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/braintrust-preview-scorers-cleanup.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BRAINTRUST_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BRAINTRUST_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63555, "scanner": "repobility-supply-chain", "fingerprint": "491a95ddb6db8da4e327880e526c51d47662beaae97a5d271eb5feb0c5afcaeb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|491a95ddb6db8da4e327880e526c51d47662beaae97a5d271eb5feb0c5afcaeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/braintrust-preview-scorers-cleanup.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_AUTOFIX_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AUTOFIX_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63554, "scanner": "repobility-supply-chain", "fingerprint": "696238f965df832142e3d1d52e4f29c6bf90ca87ae289ffe699ee938ea3de01a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|696238f965df832142e3d1d52e4f29c6bf90ca87ae289ffe699ee938ea3de01a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/autofix_linters.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BRAINTRUST_STAGING_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BRAINTRUST_STAGING_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63553, "scanner": "repobility-supply-chain", "fingerprint": "8fc81d9e3ebe2434a58008c1040b49710b638e63cbe6ff16237a8bb6f1392ade", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8fc81d9e3ebe2434a58008c1040b49710b638e63cbe6ff16237a8bb6f1392ade"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/braintrust-preview-scorers-deploy.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BRAINTRUST_STAGING_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BRAINTRUST_STAGING_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63552, "scanner": "repobility-supply-chain", "fingerprint": "6b6516d6397f52ba4f4a477d50f5cebca8aecbc64ff8584cfff58713798e30f9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b6516d6397f52ba4f4a477d50f5cebca8aecbc64ff8584cfff58713798e30f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/braintrust-preview-scorers-deploy.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BRAINTRUST_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BRAINTRUST_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63551, "scanner": "repobility-supply-chain", "fingerprint": "86af6ea8ad9972d29ae48f1deb0a7771779c7c23f9a0ff53135289961f433dab", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86af6ea8ad9972d29ae48f1deb0a7771779c7c23f9a0ff53135289961f433dab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/braintrust-preview-scorers-deploy.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BRAINTRUST_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BRAINTRUST_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63550, "scanner": "repobility-supply-chain", "fingerprint": "7ee966b909ad2508b678e0d2fb5677d1c34eca30a096e99c9f54c17c8f5004f1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ee966b909ad2508b678e0d2fb5677d1c34eca30a096e99c9f54c17c8f5004f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/braintrust-evals.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63549, "scanner": "repobility-supply-chain", "fingerprint": "955eaceb577e7f8538a3716292985c811d84c149c69083d78e4bd71bb273c33b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|955eaceb577e7f8538a3716292985c811d84c149c69083d78e4bd71bb273c33b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/braintrust-evals.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.BRAINTRUST_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.BRAINTRUST_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63548, "scanner": "repobility-supply-chain", "fingerprint": "7ca1f7d86d7a59b0a19aadde2b01a56bc0995347b56ca77090df7e2ac661b9aa", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7ca1f7d86d7a59b0a19aadde2b01a56bc0995347b56ca77090df7e2ac661b9aa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/braintrust-evals.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63547, "scanner": "repobility-supply-chain", "fingerprint": "50a68dc89d9a25bdb5e6698fecd79a5f266bb1017f8252bd0d4daa418f7ee302", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50a68dc89d9a25bdb5e6698fecd79a5f266bb1017f8252bd0d4daa418f7ee302"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/studio-e2e-test.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.OPENAI_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.OPENAI_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 63546, "scanner": "repobility-supply-chain", "fingerprint": "b48a3922bec99242c28b335742c9ba00a424d823c3e513e8931d3beae4338e82", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b48a3922bec99242c28b335742c9ba00a424d823c3e513e8931d3beae4338e82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ai-tests.yml"}, "region": {"startLine": 28}}}]}]}]}