{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image has no explicit tag", "shortDescription": {"text": "Dockerfile base image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED017", "name": "[MINED017] C System Call (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED017] C System Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `eniocarboni/docker-ubuntu-systemd:22.04` not pinned by digest: `FROM eniocarboni/docker-ubun", "shortDescription": {"text": "[MINED118] Dockerfile FROM `eniocarboni/docker-ubuntu-systemd:22.04` not pinned by digest: `FROM eniocarboni/docker-ubuntu-systemd:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every "}, "fullDescription": {"text": "Replace with: `FROM eniocarboni/docker-ubuntu-systemd:22.04@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `debian:bookworm-20230227-slim` unpinned: `container/services image: debian", "shortDescription": {"text": "[MINED126] Workflow container/services image `debian:bookworm-20230227-slim` unpinned: `container/services image: debian:bookworm-20230227-slim` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container refere"}, "fullDescription": {"text": "Replace with `debian:bookworm-20230227-slim@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `google-github-actions/auth` pinned to mutable ref `@v2`: `uses: google-github-actions/auth@v2` resolv", "shortDescription": {"text": "[MINED115] Action `google-github-actions/auth` pinned to mutable ref `@v2`: `uses: google-github-actions/auth@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files "}, "fullDescription": {"text": "Replace with: `uses: google-github-actions/auth@<40-char-sha>  # v2` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.TENZIR_CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_req", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.TENZIR_CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_CODECOV_TOKEN }` lets a PR from any fork exfiltr"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "[MINED125] GHA script injection via github.head_ref in run-step: Multi-line `run: |` block interpolates ${{ github.head_", "shortDescription": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: Multi-line `run: |` block interpolates ${{ github.head_ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "fullDescription": {"text": "Capture the field into an env var first; reference $ENV_VAR in shell."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/994"}, "properties": {"repository": "tenzir/tenzir", "repoUrl": "https://github.com/tenzir/tenzir", "branch": "main"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 93373, "scanner": "repobility-ast-engine", "fingerprint": "5146b4bce4c679eb5176f36047e7de29f91ccbf2b9f2f882a53eb26ae7c51167", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5146b4bce4c679eb5176f36047e7de29f91ccbf2b9f2f882a53eb26ae7c51167"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nix-build.py"}, "region": {"startLine": 421}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 93372, "scanner": "repobility-docker", "fingerprint": "f6b544dfde3a8d86d3ecfe1169cb8f9ccb1852c297f411ac090e96d9c35ff2df", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "eniocarboni/docker-ubuntu-systemd:22.04", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f6b544dfde3a8d86d3ecfe1169cb8f9ccb1852c297f411ac090e96d9c35ff2df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tenzir/services/systemd/test/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 93371, "scanner": "repobility-docker", "fingerprint": "29f3ecb7ca9e27c85a560a78b89b3a3280c4e88529789ae7c1a7ab57f2cd88c0", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|29f3ecb7ca9e27c85a560a78b89b3a3280c4e88529789ae7c1a7ab57f2cd88c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tenzir/services/systemd/test/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 93366, "scanner": "repobility-docker", "fingerprint": "2bd29ab677f095f688c467255aabf4b75c7d9a4faf656ae8d36fd310b6388c75", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "fedora", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2bd29ab677f095f688c467255aabf4b75c7d9a4faf656ae8d36fd310b6388c75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ansible/test/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Dockerfile base image has no explicit tag"}, "properties": {"repobilityId": 93365, "scanner": "repobility-docker", "fingerprint": "9a2333b67d678602381d2180a9ff5020751416d66cd33b2b3689edfb4e770f48", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "fedora", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9a2333b67d678602381d2180a9ff5020751416d66cd33b2b3689edfb4e770f48"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "ansible/test/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 93364, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 93363, "scanner": "repobility-docker", "fingerprint": "5aaf1b70926f712f5ff36cc38b80c976b84fd5bbcafaa8d7345b4b0ee73ac6ec", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "tenzir-ce", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5aaf1b70926f712f5ff36cc38b80c976b84fd5bbcafaa8d7345b4b0ee73ac6ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 495}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 93362, "scanner": "repobility-docker", "fingerprint": "b152b7920f2c657c41a46d76acd7bd008368d4b23df0d21cf6a0bcf5fd70a262", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b152b7920f2c657c41a46d76acd7bd008368d4b23df0d21cf6a0bcf5fd70a262"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 203}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 93361, "scanner": "repobility-docker", "fingerprint": "59d8ac9d9c44ee0ac3ddc5181227ef7f78ac2dccbcfc7404aba9829231b0ea57", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|59d8ac9d9c44ee0ac3ddc5181227ef7f78ac2dccbcfc7404aba9829231b0ea57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 77}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 93360, "scanner": "repobility-docker", "fingerprint": "75efa98abac8185da3e8b2f3b95f773e55e648ceb3cda422ffe23c6de9c48662", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|75efa98abac8185da3e8b2f3b95f773e55e648ceb3cda422ffe23c6de9c48662"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 67}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 93359, "scanner": "repobility-docker", "fingerprint": "36576f82e4d7b56726c689139e3c3c9a3aa9922e5f8a68073dccd4fb6240adf5", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|36576f82e4d7b56726c689139e3c3c9a3aa9922e5f8a68073dccd4fb6240adf5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 44}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 93328, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 93317, "scanner": "repobility-threat-engine", "fingerprint": "9e8aca99c0cd40e2697bb2b484a2380dc0adcba11c7317c9e16d0ef0e05d5dd0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|26|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/aggregation-functions/collect.cpp"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 93316, "scanner": "repobility-threat-engine", "fingerprint": "10692bd1196b167388dc435e655a1814e1337e9515c983d1f9c2ee3010eccf54", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "eval(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|29|sec045", "duplicate_count": 1, "duplicate_rule_ids": ["SEC045"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["10692bd1196b167388dc435e655a1814e1337e9515c983d1f9c2ee3010eccf54", "bb2db8132c6b9c119e1b118a56b182f330c8ce95b9b2acc12cca93b9126df724"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/aggregation-functions/all.cpp"}, "region": {"startLine": 29}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 93368, "scanner": "repobility-docker", "fingerprint": "28c8f454134daf9f78a0bfb9e35d23ebdd153167e00fe13a53e3997ae89899f6", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|28c8f454134daf9f78a0bfb9e35d23ebdd153167e00fe13a53e3997ae89899f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93358, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8af6e7a0e2e7e6cc18ff74111a682d95e2add975a132334ed2cccd4787e0e58c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/from_ftp.cpp", "duplicate_line": 9, "correlation_key": "fp|8af6e7a0e2e7e6cc18ff74111a682d95e2add975a132334ed2cccd4787e0e58c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/to_ftp.cpp"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93357, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fffe51184eb66185e1928e9e9fcf1c5512b53ed9ecae0e9de94628bcab30376e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/delay.cpp", "duplicate_line": 309, "correlation_key": "fp|fffe51184eb66185e1928e9e9fcf1c5512b53ed9ecae0e9de94628bcab30376e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/timeshift.cpp"}, "region": {"startLine": 160}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93356, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56e5c71f1c604eeb552e770c41b00cb38eb74c1ad3b692621383f58b17cb6983", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/local_remote.cpp", "duplicate_line": 49, "correlation_key": "fp|56e5c71f1c604eeb552e770c41b00cb38eb74c1ad3b692621383f58b17cb6983"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/strict.cpp"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93355, "scanner": "repobility-ai-code-hygiene", "fingerprint": "790eec2b2b4e8d30e6992d2e4eea5aa02f392c22775258af9877836028d55412", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/processes.cpp", "duplicate_line": 45, "correlation_key": "fp|790eec2b2b4e8d30e6992d2e4eea5aa02f392c22775258af9877836028d55412"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/sockets.cpp"}, "region": {"startLine": 40}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93354, "scanner": "repobility-ai-code-hygiene", "fingerprint": "907f6d36b3a15e0450055926bc368491428f6253ede07652ed32b72f404e9b17", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/openapi.cpp", "duplicate_line": 113, "correlation_key": "fp|907f6d36b3a15e0450055926bc368491428f6253ede07652ed32b72f404e9b17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/sockets.cpp"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93353, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e92b35d453e6f1d314e2cd120121e9f064fe729d94fd660e307cd2deb2feb673", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/accept_tcp.cpp", "duplicate_line": 75, "correlation_key": "fp|e92b35d453e6f1d314e2cd120121e9f064fe729d94fd660e307cd2deb2feb673"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/serve_tcp.cpp"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93352, "scanner": "repobility-ai-code-hygiene", "fingerprint": "71fc076f43e537ab5061efc6933b991e58c69f6679a5e190cc1f02af227a576f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/accept_http.cpp", "duplicate_line": 429, "correlation_key": "fp|71fc076f43e537ab5061efc6933b991e58c69f6679a5e190cc1f02af227a576f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/serve_http.cpp"}, "region": {"startLine": 465}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93351, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5249fef2d5f0d4c9a874e0b07d9208f3430cfa0daeb3c13d956e05e8f466331", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/fields.cpp", "duplicate_line": 33, "correlation_key": "fp|d5249fef2d5f0d4c9a874e0b07d9208f3430cfa0daeb3c13d956e05e8f466331"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/schemas.cpp"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93350, "scanner": "repobility-ai-code-hygiene", "fingerprint": "22056bafa567163e0990957abe5667b18dc183959acded3ee578fa4ea6299331", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/read_delimited.cpp", "duplicate_line": 72, "correlation_key": "fp|22056bafa567163e0990957abe5667b18dc183959acded3ee578fa4ea6299331"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/read_delimited_regex.cpp"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93349, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d5e109a42ff1d2a3f9630efa4c1983c9f01a984fde614f2e5c3945b07a2492dd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/openapi.cpp", "duplicate_line": 113, "correlation_key": "fp|d5e109a42ff1d2a3f9630efa4c1983c9f01a984fde614f2e5c3945b07a2492dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/processes.cpp"}, "region": {"startLine": 42}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93348, "scanner": "repobility-ai-code-hygiene", "fingerprint": "69850ea5eb4fbeec4a63b28751af232b0c8b19faccd4718ec3954f154eba1c7a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/openapi.cpp", "duplicate_line": 113, "correlation_key": "fp|69850ea5eb4fbeec4a63b28751af232b0c8b19faccd4718ec3954f154eba1c7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/plugins.cpp"}, "region": {"startLine": 75}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93347, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6fe13cacd42106d3137c74d1d98ad77c19b2ba0a09ab8d14726493d72a72b9f4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/fields.cpp", "duplicate_line": 33, "correlation_key": "fp|6fe13cacd42106d3137c74d1d98ad77c19b2ba0a09ab8d14726493d72a72b9f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/partitions.cpp"}, "region": {"startLine": 108}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93346, "scanner": "repobility-ai-code-hygiene", "fingerprint": "84c7424e9da78ac69c8f4cc7435bec51c59fe510dd915d84fdfa5432cae934f1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/every_cron2.cpp", "duplicate_line": 9, "correlation_key": "fp|84c7424e9da78ac69c8f4cc7435bec51c59fe510dd915d84fdfa5432cae934f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/parallel.cpp"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93345, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ad4f9a4e73945c81c8fa8dee39085715594a2d992e14332285fcb204c576792", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/accept_tcp.cpp", "duplicate_line": 494, "correlation_key": "fp|7ad4f9a4e73945c81c8fa8dee39085715594a2d992e14332285fcb204c576792"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/from_unix_socket.cpp"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93344, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c6aba94e89d30191444184fd4123b7065c55e415b168a6bb2bda2722271ac3b7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/accept_unix_socket.cpp", "duplicate_line": 148, "correlation_key": "fp|c6aba94e89d30191444184fd4123b7065c55e415b168a6bb2bda2722271ac3b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/from_tcp.cpp"}, "region": {"startLine": 187}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93343, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8f3bb6fdee091c9b8492d476c7ef8ea80a1ac075f96462690ffa1c62c3b7f34e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/accept_tcp.cpp", "duplicate_line": 54, "correlation_key": "fp|8f3bb6fdee091c9b8492d476c7ef8ea80a1ac075f96462690ffa1c62c3b7f34e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/from_tcp.cpp"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93342, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1198e32a8d0ed2334b8179bb3eb7aedbfe0efaa27a495b2c2f22802df30c3ef3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/accept_http.cpp", "duplicate_line": 581, "correlation_key": "fp|1198e32a8d0ed2334b8179bb3eb7aedbfe0efaa27a495b2c2f22802df30c3ef3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/from_ftp.cpp"}, "region": {"startLine": 240}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93341, "scanner": "repobility-ai-code-hygiene", "fingerprint": "25e71b6e84944108b30cb5fd6c97a4390fdfac105e797bb95e59b10c73d3e3e1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/compress_decompress.cpp", "duplicate_line": 11, "correlation_key": "fp|25e71b6e84944108b30cb5fd6c97a4390fdfac105e797bb95e59b10c73d3e3e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/compress_decompress2.cpp"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93340, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96de6cd127d9d4d36c782485258c32e3c816203205aab059ae8a56e6f36f2940", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/accept_tcp.cpp", "duplicate_line": 470, "correlation_key": "fp|96de6cd127d9d4d36c782485258c32e3c816203205aab059ae8a56e6f36f2940"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/accept_unix_socket.cpp"}, "region": {"startLine": 133}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93339, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8d86950759c646e065feb8b0ecd2a1fc8698f9de9d4c0b5ef72f415a545a9c15", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/operators/accept_http.cpp", "duplicate_line": 224, "correlation_key": "fp|8d86950759c646e065feb8b0ecd2a1fc8698f9de9d4c0b5ef72f415a545a9c15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/accept_opensearch.cpp"}, "region": {"startLine": 247}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93338, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7f7e728a957d7afce62c4092fd044335d7c9ea221ad12774427ebaa43ab28298", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/functions/duration.cpp", "duplicate_line": 51, "correlation_key": "fp|7f7e728a957d7afce62c4092fd044335d7c9ea221ad12774427ebaa43ab28298"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/functions/time.cpp"}, "region": {"startLine": 99}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93337, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ec01898132047655e4a5a4714ad79c6d919ecb3fcca18903f47fe95e6469ff36", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/formats/cef.cpp", "duplicate_line": 312, "correlation_key": "fp|ec01898132047655e4a5a4714ad79c6d919ecb3fcca18903f47fe95e6469ff36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/formats/yaml.cpp"}, "region": {"startLine": 334}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93336, "scanner": "repobility-ai-code-hygiene", "fingerprint": "baaa839b70cbe96d6862cbc64bbffd222ecc5a202c62dea5e8fec174bdd6ea92", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/formats/cef.cpp", "duplicate_line": 2, "correlation_key": "fp|baaa839b70cbe96d6862cbc64bbffd222ecc5a202c62dea5e8fec174bdd6ea92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/formats/leef.cpp"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93335, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c0c3670aa389c8a1cd22b3b4e4ab13e0fcaa94e996911c684492e925c60fbe5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/contexts/bloom_filter.cpp", "duplicate_line": 86, "correlation_key": "fp|0c0c3670aa389c8a1cd22b3b4e4ab13e0fcaa94e996911c684492e925c60fbe5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/contexts/lookup_table.cpp"}, "region": {"startLine": 351}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93334, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a6bca165faa277fc3b83c903cffc6f394df4739cca4ea53e05e8f408833d973", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/aggregation-functions/min_max.cpp", "duplicate_line": 116, "correlation_key": "fp|2a6bca165faa277fc3b83c903cffc6f394df4739cca4ea53e05e8f408833d973"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/aggregation-functions/sum.cpp"}, "region": {"startLine": 122}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93333, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e474ce048ffe3c27bf9895a21f6b41a2f5d94947b3fe648f65cb6d6b9b06a82e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/aggregation-functions/mean.cpp", "duplicate_line": 6, "correlation_key": "fp|e474ce048ffe3c27bf9895a21f6b41a2f5d94947b3fe648f65cb6d6b9b06a82e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/aggregation-functions/stddev_variance.cpp"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93332, "scanner": "repobility-ai-code-hygiene", "fingerprint": "48b065debaa3716a2ab0f55de289be5a2dc1cff3f9792b8af1fee0b9cd14942e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/aggregation-functions/first_last.cpp", "duplicate_line": 51, "correlation_key": "fp|48b065debaa3716a2ab0f55de289be5a2dc1cff3f9792b8af1fee0b9cd14942e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/aggregation-functions/min_max.cpp"}, "region": {"startLine": 131}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93331, "scanner": "repobility-ai-code-hygiene", "fingerprint": "40169bfdced102e6b2279910b42596a09ca1527060e179368b5619da8724357e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/aggregation-functions/collect.cpp", "duplicate_line": 28, "correlation_key": "fp|40169bfdced102e6b2279910b42596a09ca1527060e179368b5619da8724357e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/aggregation-functions/distinct.cpp"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93330, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd928c7b0900f3da7d3e92f25cdd7b88ac83e1ee3d7519824fe7214c2265a799", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/builtins/aggregation-functions/all.cpp", "duplicate_line": 18, "correlation_key": "fp|cd928c7b0900f3da7d3e92f25cdd7b88ac83e1ee3d7519824fe7214c2265a799"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/aggregation-functions/any.cpp"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 93329, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f7d919a55f48c3eda8e5a70c86515280e87f0182ad11dbedafabbae5da18ad72", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "libtenzir/aux/robin-map/include/tsl/robin_map.h", "duplicate_line": 115, "correlation_key": "fp|f7d919a55f48c3eda8e5a70c86515280e87f0182ad11dbedafabbae5da18ad72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/aux/robin-map/include/tsl/robin_set.h"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 93367, "scanner": "repobility-docker", "fingerprint": "3095342652b9952625870e2da594e62c93117b2502d5f0fde0e9eaa5cf73876a", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "$TENZIR_CONTAINER_REGISTRY/tenzir/tenzir:$TENZIR_VERSION", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|3095342652b9952625870e2da594e62c93117b2502d5f0fde0e9eaa5cf73876a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 93326, "scanner": "repobility-threat-engine", "fingerprint": "8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f4ed64e85e23651a781f801f20cbe7cf192b517efa4818df0dde258906a2c2b"}}}, {"ruleId": "MINED017", "level": "none", "message": {"text": "[MINED017] C System Call (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 93322, "scanner": "repobility-threat-engine", "fingerprint": "89efab965bc311241e06498483155e603823c3f4ddf6b7e1bee363743d79b181", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|89efab965bc311241e06498483155e603823c3f4ddf6b7e1bee363743d79b181", "aggregated_count": 2}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 35 more): Same pattern found in 35 additional files. Review if needed."}, "properties": {"repobilityId": 93318, "scanner": "repobility-threat-engine", "fingerprint": "662d7a28733ccd0b5a18b94cce15b3626802fe2dc3bf96aec9b99ba6379a69a5", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 35 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|662d7a28733ccd0b5a18b94cce15b3626802fe2dc3bf96aec9b99ba6379a69a5"}}}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `eniocarboni/docker-ubuntu-systemd:22.04` not pinned by digest: `FROM eniocarboni/docker-ubuntu-systemd:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 93419, "scanner": "repobility-supply-chain", "fingerprint": "01410ad6b284ea367e8138fe1d7995b77d243e9ee77ac9b1209551a2dfd5ac46", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|01410ad6b284ea367e8138fe1d7995b77d243e9ee77ac9b1209551a2dfd5ac46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tenzir/services/systemd/test/Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `debian:bookworm-20230227-slim` unpinned: `container/services image: debian:bookworm-20230227-slim` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 93418, "scanner": "repobility-supply-chain", "fingerprint": "8ed021c87f11eb3ae52e5dc1da06796099feb0929fda5fd98d54f95df0fe07de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8ed021c87f11eb3ae52e5dc1da06796099feb0929fda5fd98d54f95df0fe07de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `google-github-actions/auth` pinned to mutable ref `@v2`: `uses: google-github-actions/auth@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93400, "scanner": "repobility-supply-chain", "fingerprint": "e2c833b289cb9f6644a18f7aaada0dd6845b92c261a33634943bd1d2ddeea80f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2c833b289cb9f6644a18f7aaada0dd6845b92c261a33634943bd1d2ddeea80f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1052}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93399, "scanner": "repobility-supply-chain", "fingerprint": "7886c3acb95b2bf0e3f3438ecf174164b2be9ba1dd440c0f029f6f3a18e897cf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7886c3acb95b2bf0e3f3438ecf174164b2be9ba1dd440c0f029f6f3a18e897cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1045}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/save` pinned to mutable ref `@v4`: `uses: actions/cache/save@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93398, "scanner": "repobility-supply-chain", "fingerprint": "0507a793e8a4af460e2b8e6d78b14630edf112f068368f8f259a7e564e2b77cc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0507a793e8a4af460e2b8e6d78b14630edf112f068368f8f259a7e564e2b77cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1019}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache/restore` pinned to mutable ref `@v4`: `uses: actions/cache/restore@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93397, "scanner": "repobility-supply-chain", "fingerprint": "51c6db909d282a2c8e632affe07b72d23c699dd6f58e413196d9adce62577a94", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|51c6db909d282a2c8e632affe07b72d23c699dd6f58e413196d9adce62577a94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 971}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v30`: `uses: cachix/install-nix-action@v30` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93396, "scanner": "repobility-supply-chain", "fingerprint": "bd2e7f7de2b1ec0877d35c6dee636544c898d6488ee0df5506b7b708f0d07031", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bd2e7f7de2b1ec0877d35c6dee636544c898d6488ee0df5506b7b708f0d07031"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 960}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93395, "scanner": "repobility-supply-chain", "fingerprint": "8e7394832ef7f9b81bce8257252f16e5c2725d61b3f3bee4cf09a0c2ee2ff033", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e7394832ef7f9b81bce8257252f16e5c2725d61b3f3bee4cf09a0c2ee2ff033"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 956}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `webfactory/ssh-agent` pinned to mutable ref `@v0.9.0`: `uses: webfactory/ssh-agent@v0.9.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93394, "scanner": "repobility-supply-chain", "fingerprint": "1b8db11eafa7502a4faa592fad658ae99b43442c0db2cb80dcf6550c4dcd16c0", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b8db11eafa7502a4faa592fad658ae99b43442c0db2cb80dcf6550c4dcd16c0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 926}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `tailscale/github-action` pinned to mutable ref `@v3`: `uses: tailscale/github-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93393, "scanner": "repobility-supply-chain", "fingerprint": "0c465f7199329722c9e8b5f5ec7c02a09c9616ac40208f866feb783c1496b284", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0c465f7199329722c9e8b5f5ec7c02a09c9616ac40208f866feb783c1496b284"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 912}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v1`: `uses: actions/create-github-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93392, "scanner": "repobility-supply-chain", "fingerprint": "e280810c03d07bf8d37433b6a154b910353626d6697f644b0ff1dc22ada49f8d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e280810c03d07bf8d37433b6a154b910353626d6697f644b0ff1dc22ada49f8d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 731}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v1`: `uses: actions/create-github-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93391, "scanner": "repobility-supply-chain", "fingerprint": "5aab017d25f7343e93edf6685ff4ccc25bb5dd32b01d7783db5b969fd05c4691", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5aab017d25f7343e93edf6685ff4ccc25bb5dd32b01d7783db5b969fd05c4691"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 633}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `webfactory/ssh-agent` pinned to mutable ref `@v0.9.0`: `uses: webfactory/ssh-agent@v0.9.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93390, "scanner": "repobility-supply-chain", "fingerprint": "13084ce7020b129510ee89a696b1cc4fdf0c8b593ed76c756c796c77c76fb59a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13084ce7020b129510ee89a696b1cc4fdf0c8b593ed76c756c796c77c76fb59a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 609}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `google-github-actions/setup-gcloud` pinned to mutable ref `@v2`: `uses: google-github-actions/setup-gcloud@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93389, "scanner": "repobility-supply-chain", "fingerprint": "c2c4f1915e3072a884c84d57c7608fb16d841239576af9f46dd97ffdea66153f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c2c4f1915e3072a884c84d57c7608fb16d841239576af9f46dd97ffdea66153f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 170}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `google-github-actions/auth` pinned to mutable ref `@v2`: `uses: google-github-actions/auth@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93388, "scanner": "repobility-supply-chain", "fingerprint": "d2561d21199a0f565e1982d8b34bb036110570959a8a9e3d8cf37656bea2095e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d2561d21199a0f565e1982d8b34bb036110570959a8a9e3d8cf37656bea2095e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `rlespinasse/github-slug-action` pinned to mutable ref `@v5`: `uses: rlespinasse/github-slug-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93387, "scanner": "repobility-supply-chain", "fingerprint": "691e502a69ab09590f929c0c36bfdc19326ee06b3c5a15f21e8ffd0a5c988175", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|691e502a69ab09590f929c0c36bfdc19326ee06b3c5a15f21e8ffd0a5c988175"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cachix/install-nix-action` pinned to mutable ref `@v30`: `uses: cachix/install-nix-action@v30` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93386, "scanner": "repobility-supply-chain", "fingerprint": "290b7da6a917a778944041816bfda3b0de2bc168dcac5e1166959fded4d88c59", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|290b7da6a917a778944041816bfda3b0de2bc168dcac5e1166959fded4d88c59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bump-plugins-submodule.yaml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `crazy-max/ghaction-import-gpg` pinned to mutable ref `@v6`: `uses: crazy-max/ghaction-import-gpg@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93385, "scanner": "repobility-supply-chain", "fingerprint": "b05a02fde945a1a0bd18d33e36100c03ea5b75af8c66d9ec03de97c95e1c344d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b05a02fde945a1a0bd18d33e36100c03ea5b75af8c66d9ec03de97c95e1c344d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bump-plugins-submodule.yaml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v1`: `uses: actions/create-github-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93384, "scanner": "repobility-supply-chain", "fingerprint": "6ee06b378f24a6b128093b90667d7911e3dee55007824d1ee404ebee9ce5d5d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ee06b378f24a6b128093b90667d7911e3dee55007824d1ee404ebee9ce5d5d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bump-plugins-submodule.yaml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `webfactory/ssh-agent` pinned to mutable ref `@v0.9.0`: `uses: webfactory/ssh-agent@v0.9.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93383, "scanner": "repobility-supply-chain", "fingerprint": "92cbc97725a1e226c257da27cccab8dafb884c348a3d5c5105249921dbbb5be5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92cbc97725a1e226c257da27cccab8dafb884c348a3d5c5105249921dbbb5be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bump-plugins-submodule.yaml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `cloudflare/wrangler-action` pinned to mutable ref `@v3`: `uses: cloudflare/wrangler-action@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93382, "scanner": "repobility-supply-chain", "fingerprint": "13897fc415ee857c83e2a225ef24ec2a7ab148773f36363fae7c5b52fb4e9304", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|13897fc415ee857c83e2a225ef24ec2a7ab148773f36363fae7c5b52fb4e9304"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ccache-r2-broker.yaml"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93381, "scanner": "repobility-supply-chain", "fingerprint": "b37f2a0b5455c38047da6fb515c4ca79325b2f315c7b62250378e58f12b35717", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b37f2a0b5455c38047da6fb515c4ca79325b2f315c7b62250378e58f12b35717"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ccache-r2-broker.yaml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/amazon-ecr-login` pinned to mutable ref `@v2`: `uses: aws-actions/amazon-ecr-login@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93380, "scanner": "repobility-supply-chain", "fingerprint": "6ef366d9ac540dcaa65f250c51df44edd087f88cb4bacc0379ace05a435b7de9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6ef366d9ac540dcaa65f250c51df44edd087f88cb4bacc0379ace05a435b7de9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marketplace-release.yaml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4`: `uses: aws-actions/configure-aws-credentials@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93379, "scanner": "repobility-supply-chain", "fingerprint": "d591eef4135c1c5eb5a0c8fed2ac7eb1f54142055dc297ba8a31530441b14182", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d591eef4135c1c5eb5a0c8fed2ac7eb1f54142055dc297ba8a31530441b14182"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marketplace-release.yaml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aws-actions/configure-aws-credentials` pinned to mutable ref `@v4`: `uses: aws-actions/configure-aws-credentials@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93378, "scanner": "repobility-supply-chain", "fingerprint": "88c9523403c4e85c898e227582cd8b9683e3aec6d7db4ca3b7efe9822314565b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88c9523403c4e85c898e227582cd8b9683e3aec6d7db4ca3b7efe9822314565b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/marketplace-release.yaml"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `tenzir/news/.github/actions/sync` pinned to mutable ref `@main`: `uses: tenzir/news/.github/actions/sync@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93377, "scanner": "repobility-supply-chain", "fingerprint": "a636e1262d6bb49a11e3650a700428fdb09ed2125b0061a6c5bbff1b8a562228", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a636e1262d6bb49a11e3650a700428fdb09ed2125b0061a6c5bbff1b8a562228"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-news.yaml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v1`: `uses: actions/create-github-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 93376, "scanner": "repobility-supply-chain", "fingerprint": "0d3ec357f8e0052d5de258445c4bd9c6f12f2a4242a1f7cd35fbce9966427465", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d3ec357f8e0052d5de258445c4bd9c6f12f2a4242a1f7cd35fbce9966427465"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-news.yaml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `gcc:15-trixie` not pinned by digest: `FROM gcc:15-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 93375, "scanner": "repobility-supply-chain", "fingerprint": "1168c1223bb45191d358811f5d6646cadd7d9087f9623232a21b401b7be6933f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1168c1223bb45191d358811f5d6646cadd7d9087f9623232a21b401b7be6933f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `public.ecr.aws/docker/library/debian:trixie-slim` not pinned by digest: `FROM public.ecr.aws/docker/library/debian:trixie-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 93374, "scanner": "repobility-supply-chain", "fingerprint": "9f3b70be77ba48bdcff7ee36c58648d781b5a902fc64b568aa856e721cd2b0c5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9f3b70be77ba48bdcff7ee36c58648d781b5a902fc64b568aa856e721cd2b0c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 93370, "scanner": "repobility-docker", "fingerprint": "0cb097072026370ac8b1e1e92bf81c3d4901777fbe27cf465cda5a2eedc3c22a", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|0cb097072026370ac8b1e1e92bf81c3d4901777fbe27cf465cda5a2eedc3c22a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile"}, "region": {"startLine": 28}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 93369, "scanner": "repobility-docker", "fingerprint": "b7f1dad6af13965e89a879c1cd0d08adadbf5f58bf5c5b5b219457c7e47114f1", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b7f1dad6af13965e89a879c1cd0d08adadbf5f58bf5c5b5b219457c7e47114f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "python/Dockerfile"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 93327, "scanner": "repobility-threat-engine", "fingerprint": "4a79d88bf22a437cca5d8e9811f179964e326c9efd63221bc4a8389177ff1560", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a79d88bf22a437cca5d8e9811f179964e326c9efd63221bc4a8389177ff1560"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/include/tenzir/community_id.hpp"}, "region": {"startLine": 168}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93325, "scanner": "repobility-threat-engine", "fingerprint": "7e2168a86c2431d3aa052961e16253eeaae126669e8de25c1fabed712026154a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(O", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e2168a86c2431d3aa052961e16253eeaae126669e8de25c1fabed712026154a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/to_file.cpp"}, "region": {"startLine": 36}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93324, "scanner": "repobility-threat-engine", "fingerprint": "44a7967a632fdbff15464828194a3233b816176ce46bc06c45a65ca411207623", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(O", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|44a7967a632fdbff15464828194a3233b816176ce46bc06c45a65ca411207623"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/from_ftp.cpp"}, "region": {"startLine": 48}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 93323, "scanner": "repobility-threat-engine", "fingerprint": "c370abd29566e6b1ba4d734a8807d6aae1ba26e0ea9a9028ba00a8342c37f0fa", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(O", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c370abd29566e6b1ba4d734a8807d6aae1ba26e0ea9a9028ba00a8342c37f0fa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/from_file.cpp"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 93321, "scanner": "repobility-threat-engine", "fingerprint": "0e5609319932ae1ac276c27103ac176837c02aa05e71fc94e07c95abaee82be5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0e5609319932ae1ac276c27103ac176837c02aa05e71fc94e07c95abaee82be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/operators/fields.cpp"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 93320, "scanner": "repobility-threat-engine", "fingerprint": "3d7a4157a33cf34541ba7dc735e8fe6c3d64156143f013f748586a43f5970fac", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d7a4157a33cf34541ba7dc735e8fe6c3d64156143f013f748586a43f5970fac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/components/metrics_collector.cpp"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED017", "level": "error", "message": {"text": "[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic."}, "properties": {"repobilityId": 93319, "scanner": "repobility-threat-engine", "fingerprint": "e042eb8a549575e00269c8644f14bfa2fd2239c381f176ff102431156ef2e573", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "c-system-call", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["c", "cpp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347937+00:00", "triaged_in_corpus": 15, "observations_count": 77748, "ai_coder_pattern_id": 132}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e042eb8a549575e00269c8644f14bfa2fd2239c381f176ff102431156ef2e573"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libtenzir/builtins/aspects/index.cpp"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TENZIR_CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93417, "scanner": "repobility-supply-chain", "fingerprint": "24c11b9cf80b3c31341bfe28497b87879bb3eb322ffdeb7d1bb1456b2435174b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|24c11b9cf80b3c31341bfe28497b87879bb3eb322ffdeb7d1bb1456b2435174b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/analysis.yaml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.head_ref in run-step: Multi-line `run: |` block interpolates ${{ github.head_ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 93416, "scanner": "repobility-supply-chain", "fingerprint": "673d1413913ef3a704b25824995e3dc94a462bf01046a4a577087bf18a34e5bc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|673d1413913ef3a704b25824995e3dc94a462bf01046a4a577087bf18a34e5bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nix-build-job.yaml"}, "region": {"startLine": 370}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TENZIR_PLUGINS_DEPLOY_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_PLUGINS_DEPLOY_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93415, "scanner": "repobility-supply-chain", "fingerprint": "b2571efd14b43a89d6099a1c69e027c0b38d4369efd3b84b4bbacd429d7db6b0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2571efd14b43a89d6099a1c69e027c0b38d4369efd3b84b4bbacd429d7db6b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/style-check.yaml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_TENZIR_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_TENZIR_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93414, "scanner": "repobility-supply-chain", "fingerprint": "0868a7d97039e57bd9c6c17b63af785c2c4e4d24d233cbda5ef70e0cc6d2bb4d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0868a7d97039e57bd9c6c17b63af785c2c4e4d24d233cbda5ef70e0cc6d2bb4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/style-check.yaml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TENZIR_GITHUB_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_GITHUB_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93413, "scanner": "repobility-supply-chain", "fingerprint": "0420562a865e0deda266017941caa9c38fbd1fae71ec303a2b48dd0c58c0ccb3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0420562a865e0deda266017941caa9c38fbd1fae71ec303a2b48dd0c58c0ccb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1241}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TEST_PYPI_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TEST_PYPI_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93412, "scanner": "repobility-supply-chain", "fingerprint": "136bea41192e31f583e0d63cbf75703bcc82656d364258393c37c71e4ecc8d36", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|136bea41192e31f583e0d63cbf75703bcc82656d364258393c37c71e4ecc8d36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1220}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.PYPI_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.PYPI_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93411, "scanner": "repobility-supply-chain", "fingerprint": "5ac428702f62d7f6e41aef64f36be5aa6a8bfba6a91790b384d5d54214710b5e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ac428702f62d7f6e41aef64f36be5aa6a8bfba6a91790b384d5d54214710b5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1215}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TENZIR_BOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_BOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93410, "scanner": "repobility-supply-chain", "fingerprint": "0b48d8023861df49d3fe46e2082942d2ac7c40943239b7d006a5ce351f106b4e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0b48d8023861df49d3fe46e2082942d2ac7c40943239b7d006a5ce351f106b4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1186}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_TENZIR_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_TENZIR_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93409, "scanner": "repobility-supply-chain", "fingerprint": "eaef9297ddc8ca176fed75db8291e4b5f42f41d68efef5b393fa14925ab4b322", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eaef9297ddc8ca176fed75db8291e4b5f42f41d68efef5b393fa14925ab4b322"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1171}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TENZIR_BOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_BOT_GITHUB_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93408, "scanner": "repobility-supply-chain", "fingerprint": "a7cc1413e90343b93f41793345eb34c78808f02146885ad3f89fb4c45f5554e3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7cc1413e90343b93f41793345eb34c78808f02146885ad3f89fb4c45f5554e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1116}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CACHIX_TENZIR_API_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CACHIX_TENZIR_API_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93407, "scanner": "repobility-supply-chain", "fingerprint": "cd051b284c2ec58082c8d8fe9da55c23159cfb85dca549553f52f253ba459e35", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd051b284c2ec58082c8d8fe9da55c23159cfb85dca549553f52f253ba459e35"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 1104}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TENZIR_PLUGINS_DEPLOY_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_PLUGINS_DEPLOY_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93406, "scanner": "repobility-supply-chain", "fingerprint": "caaba1bcae3a4491891c7f852ed647c6f008f10792990139e7b3d71f88e77ab2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|caaba1bcae3a4491891c7f852ed647c6f008f10792990139e7b3d71f88e77ab2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 928}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TS_OAUTH_SECRET` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TS_OAUTH_SECRET }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93405, "scanner": "repobility-supply-chain", "fingerprint": "b1df499f1db0a9910b7dfb1312d872612783bf7b8c58d321cf533b4dd015f4d1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b1df499f1db0a9910b7dfb1312d872612783bf7b8c58d321cf533b4dd015f4d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 915}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TS_OAUTH_CLIENT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TS_OAUTH_CLIENT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93404, "scanner": "repobility-supply-chain", "fingerprint": "a8f885b295b53410dd803650be63295a93d8716354668883b88cb7b80fc47e44", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a8f885b295b53410dd803650be63295a93d8716354668883b88cb7b80fc47e44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 914}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TENZIR_GITHUB_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_GITHUB_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93403, "scanner": "repobility-supply-chain", "fingerprint": "6b4a2adbca12af73da88536923d1cc610feb678777d43feb68f0f77cd0caa8e1", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6b4a2adbca12af73da88536923d1cc610feb678777d43feb68f0f77cd0caa8e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 734}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TENZIR_AUTOBUMPER_APP_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_AUTOBUMPER_APP_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93402, "scanner": "repobility-supply-chain", "fingerprint": "5ae0d843510ab942d7b0350841dc75083a0a78fc2cdc8ea44d27badcbc42b705", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ae0d843510ab942d7b0350841dc75083a0a78fc2cdc8ea44d27badcbc42b705"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 636}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TENZIR_PLUGINS_DEPLOY_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TENZIR_PLUGINS_DEPLOY_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 93401, "scanner": "repobility-supply-chain", "fingerprint": "5cd5a617290069789aa9b05b8857d0bf363601298869dd251ebb7469018592a3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5cd5a617290069789aa9b05b8857d0bf363601298869dd251ebb7469018592a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tenzir.yaml"}, "region": {"startLine": 611}}}]}]}]}