{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /ru"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 23.5% of discovered routes show nearby authenticati", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 23.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR007", "name": "Docker build context has no .dockerignore", "shortDescription": {"text": "Docker build context has no .dockerignore"}, "fullDescription": {"text": "Add .dockerignore with at least .git, .env, private keys, dependency folders, build outputs, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR009", "name": "Dockerfile separates apt update from install", "shortDescription": {"text": "Dockerfile separates apt update from install"}, "fullDescription": {"text": "Combine update and install in the same RUN instruction and clean package indexes in that layer."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC004", "name": "Suspicious implementation file appears unreferenced", "shortDescription": {"text": "Suspicious implementation file appears unreferenced"}, "fullDescription": {"text": "Confirm whether this file is reachable. If not, delete it; if yes, wire it through explicit imports, routes, or entry points and add a test that proves the path executes."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "AIC001", "name": "Parallel implementation file sits beside a canonical file", "shortDescription": {"text": "Parallel implementation file sits beside a canonical file"}, "fullDescription": {"text": "Merge the intended change into the canonical file, update tests/imports, and delete the parallel implementation if it is not the active entry point."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Dockerfile base image is selected through a build variable", "shortDescription": {"text": "Dockerfile base image is selected through a build variable"}, "fullDescription": {"text": "Resolve the variable to a versioned tag or digest in production builds and document the allowed images."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "info", "confidence": 0.48, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.", "shortDescription": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `peter-evans/repository-dispatch` pinned to mutable ref `@v3`: `uses: peter-evans/repository-dispatch@", "shortDescription": {"text": "[MINED115] Action `peter-evans/repository-dispatch` pinned to mutable ref `@v3`: `uses: peter-evans/repository-dispatch@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/chan"}, "fullDescription": {"text": "Replace with: `uses: peter-evans/repository-dispatch@<40-char-sha>  # v3` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `mcr.microsoft.com/vscode/devcontainers/go:0-` not pinned by digest: `FROM mcr.microsoft.com/", "shortDescription": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/vscode/devcontainers/go:0-` not pinned by digest: `FROM mcr.microsoft.com/vscode/devcontainers/go:0-` resolves the tag at build time. The registry CAN re-push a different image for the same tag,"}, "fullDescription": {"text": "Replace with: `FROM mcr.microsoft.com/vscode/devcontainers/go:0-@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "AUC003", "name": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby a", "shortDescription": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /runs/{runID}."}, "fullDescription": {"text": "Add ownership, tenant, relationship, or policy checks before reading or mutating the target object."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "high", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies the entire context without .dockerignore", "shortDescription": {"text": "Dockerfile copies the entire context without .dockerignore"}, "fullDescription": {"text": "Create .dockerignore before using broad context copies, or copy only the required files and directories."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC080", "name": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-", "shortDescription": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "fullDescription": {"text": "Add `filter='data'` (Python \u2265 3.12) or manually validate member paths against `os.path.abspath`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1027"}, "properties": {"repository": "inngest/inngest", "repoUrl": "https://github.com/inngest/inngest", "branch": "main"}, "results": [{"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96348, "scanner": "repobility-journey-contract", "fingerprint": "eaa1718c773eb20fd93359a249b57628fc578ac0e782256ff9c4c2681533548b", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|eaa1718c773eb20fd93359a249b57628fc578ac0e782256ff9c4c2681533548b", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routes/api/search.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96347, "scanner": "repobility-journey-contract", "fingerprint": "854072495fadae248d1ba7bbed9e528689c53bdbd7c646a0dbdf6e6921217c9e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|854072495fadae248d1ba7bbed9e528689c53bdbd7c646a0dbdf6e6921217c9e", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 145}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96346, "scanner": "repobility-journey-contract", "fingerprint": "1fd23ec263bc0c2e2156dea35a9a18620dc1578ab8917dd2eff81d595c1617d9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|1fd23ec263bc0c2e2156dea35a9a18620dc1578ab8917dd2eff81d595c1617d9", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 144}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96345, "scanner": "repobility-journey-contract", "fingerprint": "8ae211e6eac77e89ee87555d06fd0317c24fe3ad9e356e22eb9b426461ca8780", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|8ae211e6eac77e89ee87555d06fd0317c24fe3ad9e356e22eb9b426461ca8780", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 143}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96344, "scanner": "repobility-journey-contract", "fingerprint": "2e6794cdef950c1653acad89ce9726a58619633be765bc031596f229d681452e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|2e6794cdef950c1653acad89ce9726a58619633be765bc031596f229d681452e", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 142}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96343, "scanner": "repobility-journey-contract", "fingerprint": "f4f11dcc2764e43012ceeeaea5c137e0c43ba4c323fc94b184262654628de432", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|f4f11dcc2764e43012ceeeaea5c137e0c43ba4c323fc94b184262654628de432", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 93}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96342, "scanner": "repobility-journey-contract", "fingerprint": "81552939ca952fb906af70f7a2f3bd858591b22e1851bed5f12b24d03fa30a79", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|81552939ca952fb906af70f7a2f3bd858591b22e1851bed5f12b24d03fa30a79", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96341, "scanner": "repobility-journey-contract", "fingerprint": "f2ec736e8fa4e19bbc10158d862c4a0d730803a5fb1dc3c267575c8136e36ea1", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|f2ec736e8fa4e19bbc10158d862c4a0d730803a5fb1dc3c267575c8136e36ea1", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 83}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96340, "scanner": "repobility-journey-contract", "fingerprint": "17ff7dda743b1ca3671ed17622961404f1295f2bb96250261575a979b07e198c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|17ff7dda743b1ca3671ed17622961404f1295f2bb96250261575a979b07e198c", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 73}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96339, "scanner": "repobility-journey-contract", "fingerprint": "02fc670e705ed0e037fd7ab9485a7b6f15567c6b05c836803685e45aa35e96e6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|02fc670e705ed0e037fd7ab9485a7b6f15567c6b05c836803685e45aa35e96e6", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96338, "scanner": "repobility-journey-contract", "fingerprint": "90da5dd0c71c6436aeb836be1bc6548e6fb6e4d92741fca2e75d038dff3637fd", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|90da5dd0c71c6436aeb836be1bc6548e6fb6e4d92741fca2e75d038dff3637fd", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96337, "scanner": "repobility-journey-contract", "fingerprint": "5c4671fb38149b83f2897d7d083aba22ba3d7df9cdda6623ad0dc4b505c90b02", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|5c4671fb38149b83f2897d7d083aba22ba3d7df9cdda6623ad0dc4b505c90b02", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 96336, "scanner": "repobility-journey-contract", "fingerprint": "47b917be461b47c8c1c489c0479e1178d9f249df68f304d8abd718a4c55f84c6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/search", "correlation_key": "fp|47b917be461b47c8c1c489c0479e1178d9f249df68f304d8abd718a4c55f84c6", "backend_endpoint_count": 51}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 45}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /runs/{runID}."}, "properties": {"repobilityId": 96335, "scanner": "repobility-access-control", "fingerprint": "87ace96b8f153752cc0cb74dafc2a724e3502269f30152f68b71a830b6920966", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/runs/{runID}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/apiv1/apiv1.go|170|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 170}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events/{eventID}/runs."}, "properties": {"repobilityId": 96334, "scanner": "repobility-access-control", "fingerprint": "c10ba7b35144a218c61bfddde0c5893c976a432773526702e727520bac0784c1", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/{eventID}/runs", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/apiv1/apiv1.go|169|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 169}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events/{eventID}."}, "properties": {"repobilityId": 96333, "scanner": "repobility-access-control", "fingerprint": "6e3eac1275329be3050db110a234f43ca4b7589ffb3c7790121842094961a554", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/{eventID}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/apiv1/apiv1.go|168|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 168}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /events."}, "properties": {"repobilityId": 96332, "scanner": "repobility-access-control", "fingerprint": "bc7bd8d11d1481c6abb1b16e300b5edfb04599e47e1f1b9f379ee933b8d90c9f", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/apiv1/apiv1.go|167|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 167}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /signals."}, "properties": {"repobilityId": 96331, "scanner": "repobility-access-control", "fingerprint": "9da2600208e4b11e4ea00e4529d7004b5716e38f6933fcad1ec174dae1a950ad", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/signals", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/apiv1/apiv1.go|165|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 165}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /telemetry."}, "properties": {"repobilityId": 96330, "scanner": "repobility-access-control", "fingerprint": "c954400a2e356c4cfc3b0a21a7a2910f0bdd8af1cd98fc84ce175d5c7ddde060", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/telemetry", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/coreapi/coreapi.go|121|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/coreapi.go"}, "region": {"startLine": 121}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /runs/{runID}/actions."}, "properties": {"repobilityId": 96329, "scanner": "repobility-access-control", "fingerprint": "9de8c0e08899d6123801e24274657fc85442ac79bd0570345cee7435e2f87cbd", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/runs/{runID}/actions", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/coreapi/coreapi.go|120|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/coreapi.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /runs/{runID}/batch."}, "properties": {"repobilityId": 96328, "scanner": "repobility-access-control", "fingerprint": "fe4a212c30f6810fb99aba80460d2ed561732e6e925ad43218c3804a4cddce94", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/runs/{runID}/batch", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/coreapi/coreapi.go|119|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/coreapi.go"}, "region": {"startLine": 119}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /runs/{runID}."}, "properties": {"repobilityId": 96327, "scanner": "repobility-access-control", "fingerprint": "73085d4e0706f002ee7aed2582c3560e7dcea4b199662f4f391021811b5d8fca", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/runs/{runID}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/coreapi/coreapi.go|117|auc009", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/coreapi.go"}, "region": {"startLine": 117}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /Authorization."}, "properties": {"repobilityId": 96326, "scanner": "repobility-access-control", "fingerprint": "991f0e3cd474fb356ae8d8456eeb4ac7b65e076417e0f59bb35289fafc907f9e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/Authorization", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/authn/authn.go|30|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/authn/authn.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 23.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 96315, "scanner": "repobility-access-control", "fingerprint": "4244d8bce7e358ec1c087961ceef72f38e6bab43f99490994341dda304e9d609", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 51, "correlation_key": "fp|4244d8bce7e358ec1c087961ceef72f38e6bab43f99490994341dda304e9d609", "auth_visible_percent": 23.5}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 96314, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["GraphQL", "Chi"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 96312, "scanner": "repobility-docker", "fingerprint": "70c5d1e44f00a09e0a70c924787eabd6288d61c5aa84c99efc30a9fe700c2bed", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "alpine:3.21", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|70c5d1e44f00a09e0a70c924787eabd6288d61c5aa84c99efc30a9fe700c2bed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "DKR007", "level": "warning", "message": {"text": "Docker build context has no .dockerignore"}, "properties": {"repobilityId": 96310, "scanner": "repobility-docker", "fingerprint": "c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Dockerfile exists but repository root has no .dockerignore.", "evidence": {"rule_id": "DKR007", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|c98378cf8c37e4866e89d6ca06a24b7e8c44654aa34e6e4bf1367c4a4c0c5b44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR009", "level": "warning", "message": {"text": "Dockerfile separates apt update from install"}, "properties": {"repobilityId": 96308, "scanner": "repobility-docker", "fingerprint": "34123e26ab54ecfe170f7689683157ae9338193a8216e5c058e767af3709a78e", "category": "docker", "severity": "medium", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Package index update appears without package installation in the same layer.", "evidence": {"rule_id": "DKR009", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|34123e26ab54ecfe170f7689683157ae9338193a8216e5c058e767af3709a78e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC004", "level": "warning", "message": {"text": "Suspicious implementation file appears unreferenced"}, "properties": {"repobilityId": 96291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "799a4e15606c11a949be569c1d5adaa8a3ca562da2707275b1c95b9e22700a5f", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Patch-style source file has no detected inbound reference from other repository files.", "evidence": {"suffix": "update", "rule_id": "AIC004", "scanner": "repobility-ai-code-hygiene", "references": ["https://knip.dev/", "https://github.com/jendrikseipp/vulture"], "correlation_key": "fp|799a4e15606c11a949be569c1d5adaa8a3ca562da2707275b1c95b9e22700a5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/connect/gateway_msg_status_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC001", "level": "warning", "message": {"text": "Parallel implementation file sits beside a canonical file"}, "properties": {"repobilityId": 96290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "996297f35bbd41e193737372521828efd1c0a3ae2e56513cba2fa7fff3d65b22", "category": "quality", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Source filename has a patch-style suffix and a same-directory canonical sibling exists.", "evidence": {"suffix": "update", "rule_id": "AIC001", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195", "https://knip.dev/"], "canonical_file": "pkg/connect/gateway_msg_status.go", "correlation_key": "fp|996297f35bbd41e193737372521828efd1c0a3ae2e56513cba2fa7fff3d65b22"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/connect/gateway_msg_status_update.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 96289, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 96285, "scanner": "repobility-threat-engine", "fingerprint": "6ab0fbbef14835a5e1f2a591f4fd2d346f8e49f9bd1df8109eff04ed48d8b0ce", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|84|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/constraintapi/semaphore_manager.go"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 96284, "scanner": "repobility-threat-engine", "fingerprint": "069e761106aee8c8e234ff7be14c3d2ac0716f5723e5e6b6d95d32c479a80672", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|282|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/constraintapi/scavenge.go"}, "region": {"startLine": 282}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 96283, "scanner": "repobility-threat-engine", "fingerprint": "82440d431a607d70e63fad64ee5c3eb6d46de56191207150738c59e4af84b4a0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|70|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/connect/state/request.go"}, "region": {"startLine": 70}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 96273, "scanner": "repobility-threat-engine", "fingerprint": "6ebd8b0cad66810a6ba525af927a023b7e6e35ced92428b65b9c1f599d308378", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:    fmt.Sprintf(\"%s:%d\", a.config.CoreAPI.Addr, a.config.CoreAPI.Port),\n\t\tHandle", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6ebd8b0cad66810a6ba525af927a023b7e6e35ced92428b65b9c1f599d308378"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/coreapi.go"}, "region": {"startLine": 144}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 96272, "scanner": "repobility-threat-engine", "fingerprint": "64474f7128acd51e195c0d9d91745b4262f839cf62c1942e9ee3aa2749db7d39", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tAddr:    fmt.Sprintf(\"%s:%d\", a.config.EventAPI.Addr, a.config.EventAPI.Port),\n\t\tHand", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|64474f7128acd51e195c0d9d91745b4262f839cf62c1942e9ee3aa2749db7d39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api.go"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 96256, "scanner": "repobility-threat-engine", "fingerprint": "12f6fa6ea3a64d54c4a7cec6d207ee5a23a17f68614be1156ffadfd139b7c65d", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(errOut, err.Error())", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|12f6fa6ea3a64d54c4a7cec6d207ee5a23a17f68614be1156ffadfd139b7c65d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/doctor/healthcheck/cmd.go"}, "region": {"startLine": 112}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96306, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4ce107e6684451fa23854b611f6160d2419438603823485045c3bcf97fc28b0c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/coreapi/graph/models/converters.go", "duplicate_line": 92, "correlation_key": "fp|4ce107e6684451fa23854b611f6160d2419438603823485045c3bcf97fc28b0c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/graph/resolvers/runs_v2.go"}, "region": {"startLine": 149}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96305, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f24c3576c62ab405bf5604304eb39efd4d0e9b9272e113895a44c5fba94723f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/coreapi/graph/resolvers/event_v2.go", "duplicate_line": 37, "correlation_key": "fp|f24c3576c62ab405bf5604304eb39efd4d0e9b9272e113895a44c5fba94723f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/graph/resolvers/runs_v2.go"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96304, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8ccd3905b2a18179b49e4795e465db2feb903fb272653ee58c94a1d7683a632d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/connect/state/redis.go", "duplicate_line": 58, "correlation_key": "fp|8ccd3905b2a18179b49e4795e465db2feb903fb272653ee58c94a1d7683a632d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/constraintapi/lua.go"}, "region": {"startLine": 55}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96303, "scanner": "repobility-ai-code-hygiene", "fingerprint": "dec8ca39c7ae8038f33932ac83141014c12274eb65c84ae37d7d990072850d03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/constraintapi/acquire.go", "duplicate_line": 74, "correlation_key": "fp|dec8ca39c7ae8038f33932ac83141014c12274eb65c84ae37d7d990072850d03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/constraintapi/check.go"}, "region": {"startLine": 31}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96302, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5cead307c9c19b77891a361c79d2a2490f87908b73db098b8a6915f990c5998f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/connect/rest/v0/conns.go", "duplicate_line": 18, "correlation_key": "fp|5cead307c9c19b77891a361c79d2a2490f87908b73db098b8a6915f990c5998f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/connect/rest/v0/workergroup.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96301, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3b5b6a471b5393e7e0c6513e043bb554c535ecd589561171ff09df0c54931355", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "pkg/connect/gateway_msg_heartbeat.go", "duplicate_line": 32, "correlation_key": "fp|3b5b6a471b5393e7e0c6513e043bb554c535ecd589561171ff09df0c54931355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/connect/gateway_msg_ready.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ef65b8a16ee233e967f2c69cb3fbee90eea14541f95bea779603f93f85f7a65", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/devserver/devserver.go", "duplicate_line": 108, "correlation_key": "fp|1ef65b8a16ee233e967f2c69cb3fbee90eea14541f95bea779603f93f85f7a65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/start/start.go"}, "region": {"startLine": 37}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "29e43d11338044aeb34bff7b13bad9c268d5f620456323fdc359081d04c0cb9b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/devserver/cmd.go", "duplicate_line": 52, "correlation_key": "fp|29e43d11338044aeb34bff7b13bad9c268d5f620456323fdc359081d04c0cb9b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/start/cmd.go"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "341c7d58f284839151bf0cd624fe3eddc31e85812fa7b94c79932a1ea158f30c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/debug/singleton/delete.go", "duplicate_line": 15, "correlation_key": "fp|341c7d58f284839151bf0cd624fe3eddc31e85812fa7b94c79932a1ea158f30c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/debug/singleton/info.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3267e58247977e7e6daea29c75e888f849486bbda98e530d59e06f4837dc2337", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/debug/debounce/delete.go", "duplicate_line": 2, "correlation_key": "fp|3267e58247977e7e6daea29c75e888f849486bbda98e530d59e06f4837dc2337"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/debug/singleton/delete.go"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7a2a59350a862645192e67a161a6732c6eca43f46a680fdde6ea016bb08b370b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/debug/pause/deleted.go", "duplicate_line": 17, "correlation_key": "fp|7a2a59350a862645192e67a161a6732c6eca43f46a680fdde6ea016bb08b370b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/debug/pause/peek.go"}, "region": {"startLine": 17}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdf889e4d41d142fc47ede227c90e88b844168bc049fadd1af321d7ee70f1e95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/debug/debounce/delete.go", "duplicate_line": 15, "correlation_key": "fp|bdf889e4d41d142fc47ede227c90e88b844168bc049fadd1af321d7ee70f1e95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/debug/debounce/run.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "97a9b12f7c935232230f834dce71a5da500fe6167335e9a17683f8073b1f47ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/debug/debounce/delete.go", "duplicate_line": 15, "correlation_key": "fp|97a9b12f7c935232230f834dce71a5da500fe6167335e9a17683f8073b1f47ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/debug/debounce/info.go"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "cd3930073b0614e3b678cada05bcdae2d7fc8d1d76b80f9624d864739e89eeeb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/debug/batch/delete.go", "duplicate_line": 14, "correlation_key": "fp|cd3930073b0614e3b678cada05bcdae2d7fc8d1d76b80f9624d864739e89eeeb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/debug/batch/run.go"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 96292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e183f2437732143def9a9364147658e3d333838a7e0662c8dac1910981c30ca8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "cmd/debug/batch/delete.go", "duplicate_line": 14, "correlation_key": "fp|e183f2437732143def9a9364147658e3d333838a7e0662c8dac1910981c30ca8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/debug/batch/info.go"}, "region": {"startLine": 15}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 96254, "scanner": "repobility-threat-engine", "fingerprint": "3d8e3914871cc9c16e763e4c8f737b2e9a131cdd53ec12ef3190a28f5697ff4e", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = itrace.CloseUserTracer(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d8e3914871cc9c16e763e4c8f737b2e9a131cdd53ec12ef3190a28f5697ff4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/start/start.go"}, "region": {"startLine": 55}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 96253, "scanner": "repobility-threat-engine", "fingerprint": "91dbc78714727bc650295fd93e1d125b87377d687b34f8ecfdce9ceed5258664", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = eg.Wait(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|91dbc78714727bc650295fd93e1d125b87377d687b34f8ecfdce9ceed5258664"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/doctor/healthcheck/cmd.go"}, "region": {"startLine": 106}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 96252, "scanner": "repobility-threat-engine", "fingerprint": "a0ba3dd163301cb69a98490b9d727f7abdde9a575302532f23bd7457275f8b96", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = itrace.CloseUserTracer(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a0ba3dd163301cb69a98490b9d727f7abdde9a575302532f23bd7457275f8b96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/devserver/devserver.go"}, "region": {"startLine": 136}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 96307, "scanner": "repobility-docker", "fingerprint": "be0b8d3313ec22a72b48539b1312df5fbae576eaa5d6eddf2b7c67f037b4ce25", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "mcr.microsoft.com/vscode/devcontainers/go:0-${VARIANT}", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|be0b8d3313ec22a72b48539b1312df5fbae576eaa5d6eddf2b7c67f037b4ce25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 96282, "scanner": "repobility-threat-engine", "fingerprint": "81f86ece450ffcb9331264d72a6f92a9e7f0deab58c34779b41399dc9163a419", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|81f86ece450ffcb9331264d72a6f92a9e7f0deab58c34779b41399dc9163a419"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/graph/resolvers/app_mutations.go"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 96281, "scanner": "repobility-threat-engine", "fingerprint": "88f985e40c0519bd5844539008f264d503dbc3462ef5849d825499fdba1b757d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|88f985e40c0519bd5844539008f264d503dbc3462ef5849d825499fdba1b757d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/config/messaging.go"}, "region": {"startLine": 176}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 96279, "scanner": "repobility-threat-engine", "fingerprint": "988f5eb93abd250acafc74d1384ac7b774c62f3677f848e26babb05aa408c146", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|988f5eb93abd250acafc74d1384ac7b774c62f3677f848e26babb05aa408c146", "aggregated_count": 4}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 96270, "scanner": "repobility-threat-engine", "fingerprint": "29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|29f418f0b32afce9ff9545bb3e439c1b302cb3c41f56d413b872dcb5fe0b02fc"}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 96266, "scanner": "repobility-threat-engine", "fingerprint": "9e775576c08bc679c93dc6866ec50021a010701fde0e5587e9af731c8cdbe0d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9e775576c08bc679c93dc6866ec50021a010701fde0e5587e9af731c8cdbe0d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routeTree.gen.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 96265, "scanner": "repobility-threat-engine", "fingerprint": "67ad0f8d9f19642e77bb70af34c90ea68e4223fbcf4fe80aa233e3e9048634c4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|67ad0f8d9f19642e77bb70af34c90ea68e4223fbcf4fe80aa233e3e9048634c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/components/mdx.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 96264, "scanner": "repobility-threat-engine", "fingerprint": "bbccc4a3e8fff80d7fdb75586bbdebb9e653af5cdc9ca62ed7ebc26790e25afc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bbccc4a3e8fff80d7fdb75586bbdebb9e653af5cdc9ca62ed7ebc26790e25afc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/scripts/generate-docs.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 96263, "scanner": "repobility-threat-engine", "fingerprint": "69532f31e8d443aa6ea2bc7d3edb995c282c799a07e706e12436756a459141f6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|69532f31e8d443aa6ea2bc7d3edb995c282c799a07e706e12436756a459141f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/postinstall.ts"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 96262, "scanner": "repobility-threat-engine", "fingerprint": "5e1ce37677bff0a65500506df940554ac801bfc04624070f4a4613080c35e48d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5e1ce37677bff0a65500506df940554ac801bfc04624070f4a4613080c35e48d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/scripts/generate-docs.ts"}, "region": {"startLine": 196}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 96260, "scanner": "repobility-threat-engine", "fingerprint": "85c4896443af68563c201765b60383810d346ee42e0660a82238ba53d71ba096", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|85c4896443af68563c201765b60383810d346ee42e0660a82238ba53d71ba096", "aggregated_count": 1}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 96259, "scanner": "repobility-threat-engine", "fingerprint": "b04e7c9ea8e15c531eca6c8450ee01acdea0f007eb68bfe795c41edc1dfd71e2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b04e7c9ea8e15c531eca6c8450ee01acdea0f007eb68bfe795c41edc1dfd71e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/cli/output/text.go"}, "region": {"startLine": 294}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 96258, "scanner": "repobility-threat-engine", "fingerprint": "0f68c788ad3c86beaa3cc8296aaf818dba09b715e2b809233255c8d84641a6b1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f68c788ad3c86beaa3cc8296aaf818dba09b715e2b809233255c8d84641a6b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/tel/tel.go"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 96257, "scanner": "repobility-threat-engine", "fingerprint": "d7c96a6605207176a218684599aa70612d168726cc4d9baf4eedc25dc0c0f980", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d7c96a6605207176a218684599aa70612d168726cc4d9baf4eedc25dc0c0f980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/main.go"}, "region": {"startLine": 13}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 21 more): Same pattern found in 21 additional files. Review if needed."}, "properties": {"repobilityId": 96255, "scanner": "repobility-threat-engine", "fingerprint": "be4177234b4e36cf164e2f1675576c8aaa7c3adfdf8dcd03d39706dcc230d23e", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 21 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|be4177234b4e36cf164e2f1675576c8aaa7c3adfdf8dcd03d39706dcc230d23e"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 96251, "scanner": "repobility-threat-engine", "fingerprint": "818ddb6a7cc4708f54e6a9047d0980dcaba75aaa1447f844d9b871cfb5f4ca84", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|818ddb6a7cc4708f54e6a9047d0980dcaba75aaa1447f844d9b871cfb5f4ca84", "aggregated_count": 10}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 96250, "scanner": "repobility-threat-engine", "fingerprint": "ae979486e6b690107dc3074e6d0ccd6c17083f40bca7888dca8825f5e6c64563", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ae979486e6b690107dc3074e6d0ccd6c17083f40bca7888dca8825f5e6c64563"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/config/messaging.go"}, "region": {"startLine": 111}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 96249, "scanner": "repobility-threat-engine", "fingerprint": "b3c701c786abf2b818b2b19db13d4e04bcec1db8c4115a8f971c20c38c6aa02b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b3c701c786abf2b818b2b19db13d4e04bcec1db8c4115a8f971c20c38c6aa02b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/root.go"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 96248, "scanner": "repobility-threat-engine", "fingerprint": "3362717e22d19a1ae1893a04889f0c7ef892cb3ef96f76046a32b8b148a36b27", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3362717e22d19a1ae1893a04889f0c7ef892cb3ef96f76046a32b8b148a36b27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "cmd/devserver/devserver.go"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/repository-dispatch` pinned to mutable ref `@v3`: `uses: peter-evans/repository-dispatch@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96376, "scanner": "repobility-supply-chain", "fingerprint": "8e6627b74dca0b1e7701a5b832f1027af46f4f83cadc6a6977c23b1ec6deec9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e6627b74dca0b1e7701a5b832f1027af46f4f83cadc6a6977c23b1ec6deec9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dispatch_upstream.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96375, "scanner": "repobility-supply-chain", "fingerprint": "7a1d43917f8c3c12caf288ccae30e0e2717efce033e4e29e4a342a921857c8e6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7a1d43917f8c3c12caf288ccae30e0e2717efce033e4e29e4a342a921857c8e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm_test.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96374, "scanner": "repobility-supply-chain", "fingerprint": "5cb792f9ff8aa6f3f2b29de15ad84834b4272ee4fbe209244cb17f07b96242ca", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5cb792f9ff8aa6f3f2b29de15ad84834b4272ee4fbe209244cb17f07b96242ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/npm_test.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v5`: `uses: codecov/codecov-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96372, "scanner": "repobility-supply-chain", "fingerprint": "2b5f576524a332af635f0a0c17cafdf43ece5276cba321043edd065bd52de1f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b5f576524a332af635f0a0c17cafdf43ece5276cba321043edd065bd52de1f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96371, "scanner": "repobility-supply-chain", "fingerprint": "005902b2f96b754b39d5ab7665bc3b88b1ac45a0fa743dd827540f40fa87003e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|005902b2f96b754b39d5ab7665bc3b88b1ac45a0fa743dd827540f40fa87003e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96370, "scanner": "repobility-supply-chain", "fingerprint": "5fb7279cba1782b36dedb03dc12d3ae9ea3347bf4461168588d3992fb51dcc3e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5fb7279cba1782b36dedb03dc12d3ae9ea3347bf4461168588d3992fb51dcc3e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `nicknovitski/nix-develop` pinned to mutable ref `@v1.2.1`: `uses: nicknovitski/nix-develop@v1.2.1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96369, "scanner": "repobility-supply-chain", "fingerprint": "1541ed325601a8e800096552bc9a4340e3c96bd99f09601cb4be719878a67913", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1541ed325601a8e800096552bc9a4340e3c96bd99f09601cb4be719878a67913"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `DeterminateSystems/nix-installer-action` pinned to mutable ref `@main`: `uses: DeterminateSystems/nix-installer-action@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96368, "scanner": "repobility-supply-chain", "fingerprint": "981c8c09e9e01d2f7f7df4036fbc53a2b60ba5851b353c32b8ac0f067f0b7fc4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|981c8c09e9e01d2f7f7df4036fbc53a2b60ba5851b353c32b8ac0f067f0b7fc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96367, "scanner": "repobility-supply-chain", "fingerprint": "cbc0a31a63f11ebcd5f9dccf69914464fe0761bb4dade866f359de68a1ea4156", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cbc0a31a63f11ebcd5f9dccf69914464fe0761bb4dade866f359de68a1ea4156"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `golangci/golangci-lint-action` pinned to mutable ref `@v8`: `uses: golangci/golangci-lint-action@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96366, "scanner": "repobility-supply-chain", "fingerprint": "89b8991ab8476e626f7c11db0eb54d8177172ced81e44f6688026beaa9b07499", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|89b8991ab8476e626f7c11db0eb54d8177172ced81e44f6688026beaa9b07499"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96365, "scanner": "repobility-supply-chain", "fingerprint": "2eaae2b2782a7e6ef826aeffeea69e96540b01db502ccc8ddc8df69ba546d189", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2eaae2b2782a7e6ef826aeffeea69e96540b01db502ccc8ddc8df69ba546d189"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96364, "scanner": "repobility-supply-chain", "fingerprint": "80562c61f8cbe8ca9a7341288996534454956cab1ec3723a78af31ea9fb00e1f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80562c61f8cbe8ca9a7341288996534454956cab1ec3723a78af31ea9fb00e1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96363, "scanner": "repobility-supply-chain", "fingerprint": "0f1b6eccd44320e51a463b8965ad4f07f92cda0f59a253adcddbd35f10cb5fb1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f1b6eccd44320e51a463b8965ad4f07f92cda0f59a253adcddbd35f10cb5fb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prerelease.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96362, "scanner": "repobility-supply-chain", "fingerprint": "7fb2e5a9d8b09ff4e0157e0ed9de96edc256be57a57c8545a0ff80ee29f75dd3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7fb2e5a9d8b09ff4e0157e0ed9de96edc256be57a57c8545a0ff80ee29f75dd3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prerelease.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96361, "scanner": "repobility-supply-chain", "fingerprint": "e6a6a0459cfa6dfdc3b65c9cebc221eb4d5b477062c0d1d2ca8409836b3d6b74", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6a6a0459cfa6dfdc3b65c9cebc221eb4d5b477062c0d1d2ca8409836b3d6b74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prerelease.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96360, "scanner": "repobility-supply-chain", "fingerprint": "4005afd63b03607ff8b2f335f035b20711e59e0063795b3370cd6870b0ddb169", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4005afd63b03607ff8b2f335f035b20711e59e0063795b3370cd6870b0ddb169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prerelease.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96359, "scanner": "repobility-supply-chain", "fingerprint": "7b237a59670a4b8f1c663a8a9dd370a034726227437476d1c2d4119eb675501c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b237a59670a4b8f1c663a8a9dd370a034726227437476d1c2d4119eb675501c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev_server_ui.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4.0.0`: `uses: pnpm/action-setup@v4.0.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96358, "scanner": "repobility-supply-chain", "fingerprint": "0ee927ff0f4fe66cfb5bf17a0ba789f0f1adcf2e8b9d0b9641c835b2d6e52c59", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0ee927ff0f4fe66cfb5bf17a0ba789f0f1adcf2e8b9d0b9641c835b2d6e52c59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev_server_ui.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96357, "scanner": "repobility-supply-chain", "fingerprint": "79dfe7982eca0d1b2a090737cc58dfbded32c1bb5e00cba0692d446661aa7b5e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|79dfe7982eca0d1b2a090737cc58dfbded32c1bb5e00cba0692d446661aa7b5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/dev_server_ui.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96356, "scanner": "repobility-supply-chain", "fingerprint": "6edcc5a4d55abc057adc852907867d11cb0fdc8707277f92e81123e92eff0c90", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6edcc5a4d55abc057adc852907867d11cb0fdc8707277f92e81123e92eff0c90"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/components_test.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96355, "scanner": "repobility-supply-chain", "fingerprint": "9ca9a186c2b88d9212ec2dafdae7375eb84271e325d54d6496a4c62438099658", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ca9a186c2b88d9212ec2dafdae7375eb84271e325d54d6496a4c62438099658"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/components_test.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96354, "scanner": "repobility-supply-chain", "fingerprint": "7c7d3516e1d5485617e7d64de6a92f1d152dfd479eff2f73b589208ee95f269a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c7d3516e1d5485617e7d64de6a92f1d152dfd479eff2f73b589208ee95f269a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/components_test.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/upload-sarif` pinned to mutable ref `@v3`: `uses: github/codeql-action/upload-sarif@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96353, "scanner": "repobility-supply-chain", "fingerprint": "07e8bdaf1d37d56830b057a3225773fdb56abf5b984486d3c088f727a5f49004", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07e8bdaf1d37d56830b057a3225773fdb56abf5b984486d3c088f727a5f49004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security.yaml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `securego/gosec` pinned to mutable ref `@v2.20.0`: `uses: securego/gosec@v2.20.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96352, "scanner": "repobility-supply-chain", "fingerprint": "5f34d30175e9b534b2823573d071a6125c1c0dc814f10053f0681f93eafb89c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5f34d30175e9b534b2823573d071a6125c1c0dc814f10053f0681f93eafb89c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security.yaml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 96351, "scanner": "repobility-supply-chain", "fingerprint": "7cfd1af179ca33cd405684aaa290175f9205b0a5cd9679d26c19ce1b8a2c7e68", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7cfd1af179ca33cd405684aaa290175f9205b0a5cd9679d26c19ce1b8a2c7e68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/security.yaml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `mcr.microsoft.com/vscode/devcontainers/go:0-` not pinned by digest: `FROM mcr.microsoft.com/vscode/devcontainers/go:0-` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 96350, "scanner": "repobility-supply-chain", "fingerprint": "78d1760924f395969162ac0b104f3a351597069efbe3731d31a9104a721c3918", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|78d1760924f395969162ac0b104f3a351597069efbe3731d31a9104a721c3918"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `alpine:3.21` not pinned by digest: `FROM alpine:3.21` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 96349, "scanner": "repobility-supply-chain", "fingerprint": "f4165eaabd8dd83a0f592d1a5ac127fb33e0490fec573b07aa5085923c7c6c73", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4165eaabd8dd83a0f592d1a5ac127fb33e0490fec573b07aa5085923c7c6c73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 10}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /runs/{runID}."}, "properties": {"repobilityId": 96325, "scanner": "repobility-access-control", "fingerprint": "a47473d4f4b6ee850151543648db77606cb9ecb4fa91d0496682cbe1462da4e7", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/runs/{runID}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/apiv1/apiv1.go|171|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 171}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /runs/{runID}."}, "properties": {"repobilityId": 96324, "scanner": "repobility-access-control", "fingerprint": "5bc8a2cd204774f8365f681daa0cb54f2bcd82f0ef8692d989b319324e040836", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/runs/{runID}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/apiv1/apiv1.go|170|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 170}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /events/{eventID}/runs."}, "properties": {"repobilityId": 96323, "scanner": "repobility-access-control", "fingerprint": "2751782530552625c76b0358c42b1271f53f26278b582818f3634b99fe51e17a", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/{eventID}/runs", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/apiv1/apiv1.go|169|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 169}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /events/{eventID}."}, "properties": {"repobilityId": 96322, "scanner": "repobility-access-control", "fingerprint": "28d968a57b0f2ab2b722e2b95e279811abb139d42b7354cfe6637156d7cbf827", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/events/{eventID}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/apiv1/apiv1.go|168|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 168}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /envs/{envID}/groups/{groupID}."}, "properties": {"repobilityId": 96321, "scanner": "repobility-access-control", "fingerprint": "b0c02c86c3024f89891fb221ac084b176a43922c52a8e3ab41d3c2c198a8bdf0", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/envs/{envID}/groups/{groupID}", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/connect/rest/v0/v0.go|95|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/connect/rest/v0/v0.go"}, "region": {"startLine": 95}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /envs/{envID}/conns."}, "properties": {"repobilityId": 96320, "scanner": "repobility-access-control", "fingerprint": "d18fdb82ee5f29236e1f136ed072b6eef6713a29e7b867c58a52fa8e4496ee8c", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/envs/{envID}/conns", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/connect/rest/v0/v0.go|94|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/connect/rest/v0/v0.go"}, "region": {"startLine": 94}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: POST /invoke/{slug}."}, "properties": {"repobilityId": 96319, "scanner": "repobility-access-control", "fingerprint": "a75426c31920cd6198084ce82ac993af3cc75a8ddb1dfe87977c1879bb10b0eb", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/invoke/{slug}", "method": "POST", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/api/api.go|78|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/api.go"}, "region": {"startLine": 78}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /runs/{runID}/actions."}, "properties": {"repobilityId": 96318, "scanner": "repobility-access-control", "fingerprint": "eb613294975d64f154afd7abfb5f1f9e63271a150d6983de2d855abd420b0a34", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/runs/{runID}/actions", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/coreapi/coreapi.go|120|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/coreapi.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: GET /runs/{runID}/batch."}, "properties": {"repobilityId": 96317, "scanner": "repobility-access-control", "fingerprint": "dae673404f6adf0eaf7182c36914674ef5d82dbf180183b7581763171eff1734", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/runs/{runID}/batch", "method": "GET", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/coreapi/coreapi.go|119|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/coreapi.go"}, "region": {"startLine": 119}}}]}, {"ruleId": "AUC003", "level": "error", "message": {"text": "[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: DELETE /runs/{runID}."}, "properties": {"repobilityId": 96316, "scanner": "repobility-access-control", "fingerprint": "c8159d8339e00afafa4d9c8d4dd2340604b440ab9e89625bf5b81540ac4bac7f", "category": "auth", "severity": "high", "confidence": 0.7, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/runs/{runID}", "method": "DELETE", "scanner": "repobility-access-control", "framework": "Chi", "correlation_key": "code|auth|pkg/coreapi/coreapi.go|117|auc003", "identity_targets": ["unknown", "owner"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/coreapi/coreapi.go"}, "region": {"startLine": 117}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 96313, "scanner": "repobility-docker", "fingerprint": "983473c5faeecf2104e44eb46c961c8a47e0c306557cb51c2364c260cef8a9a7", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|983473c5faeecf2104e44eb46c961c8a47e0c306557cb51c2364c260cef8a9a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "vendor/github.com/pelletier/go-toml/Dockerfile"}, "region": {"startLine": 3}}}]}, {"ruleId": "DKR014", "level": "error", "message": {"text": "Dockerfile copies the entire context without .dockerignore"}, "properties": {"repobilityId": 96311, "scanner": "repobility-docker", "fingerprint": "3e7b8b0e30af997d5cfddfbfddd5bc79b46a0af3798a7b94e13a2110595a8c8f", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Broad context copy and missing .dockerignore were found together.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|3e7b8b0e30af997d5cfddfbfddd5bc79b46a0af3798a7b94e13a2110595a8c8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 96309, "scanner": "repobility-docker", "fingerprint": "f7fe8b2967591230f04f4cc37d83401e896e1fda0c7085d2b6231a475e6880a6", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f7fe8b2967591230f04f4cc37d83401e896e1fda0c7085d2b6231a475e6880a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".devcontainer/Dockerfile"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 96288, "scanner": "repobility-threat-engine", "fingerprint": "040e070b0c4a761fc413ec1be87d4dc566f6a262b377fa6c282cc0978d6a6874", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|040e070b0c4a761fc413ec1be87d4dc566f6a262b377fa6c282cc0978d6a6874"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/constraintapi/semaphore_manager.go"}, "region": {"startLine": 84}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 96287, "scanner": "repobility-threat-engine", "fingerprint": "e2b6f0d58d363fd3d196a00c2f25c607c21306de618fd566b8303fd716c493f9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e2b6f0d58d363fd3d196a00c2f25c607c21306de618fd566b8303fd716c493f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/constraintapi/scavenge.go"}, "region": {"startLine": 282}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 96286, "scanner": "repobility-threat-engine", "fingerprint": "ebd008d226d7ea3d452337955163ad4bf2208f356c8ea6fca6fd15d55811c8af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(\n\t\tctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ebd008d226d7ea3d452337955163ad4bf2208f356c8ea6fca6fd15d55811c8af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/connect/state/request.go"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 96280, "scanner": "repobility-threat-engine", "fingerprint": "6ac1b42d19985256bf2a45c2eb94e4c31b64d17fa66fb57c247ee8b0a9d47e66", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6ac1b42d19985256bf2a45c2eb94e4c31b64d17fa66fb57c247ee8b0a9d47e66"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/metadata.go"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 96278, "scanner": "repobility-threat-engine", "fingerprint": "b366bfdeb2275cd246b83f57a7dde06465c0d89408e424bb7ee2119c969accf4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b366bfdeb2275cd246b83f57a7dde06465c0d89408e424bb7ee2119c969accf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/v2/endpoints_function.go"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 96277, "scanner": "repobility-threat-engine", "fingerprint": "54cbd4237ce399bc65ba4325c85eb6ebb205296582bf81b5915eb72970917026", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|54cbd4237ce399bc65ba4325c85eb6ebb205296582bf81b5915eb72970917026"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/metadata.go"}, "region": {"startLine": 136}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 96276, "scanner": "repobility-threat-engine", "fingerprint": "ee0c6b63e31f02084c9f9ec014fd841d2d8bdfc783e72711b60c562524fc34ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ee0c6b63e31f02084c9f9ec014fd841d2d8bdfc783e72711b60c562524fc34ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1auth/apiv1auth.go"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 96275, "scanner": "repobility-threat-engine", "fingerprint": "7f6c9ea6c10f31c7a23bfde08a5e6fe698d4f4c15e55e046b0539d8c0d78b09c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "i.inFlightRequests.Delete(requestID)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7f6c9ea6c10f31c7a23bfde08a5e6fe698d4f4c15e55e046b0539d8c0d78b09c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/connect/grpc/grpc.go"}, "region": {"startLine": 202}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 96274, "scanner": "repobility-threat-engine", "fingerprint": "656eaf2992e91bdb14ea5d753499703f404e8970317a3d63d174a66c325355e0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "r.Delete(\"/runs/{runID}\", a.cancelFunctionRun)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|656eaf2992e91bdb14ea5d753499703f404e8970317a3d63d174a66c325355e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/api/apiv1/apiv1.go"}, "region": {"startLine": 171}}}]}, {"ruleId": "SEC080", "level": "error", "message": {"text": "[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0)."}, "properties": {"repobilityId": 96271, "scanner": "repobility-threat-engine", "fingerprint": "1e79acf2ddb6847cef711211e778f2ff5671ced2258677e2e40f15be5af572cc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tar.extract({ cwd: targetPath })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC080", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1e79acf2ddb6847cef711211e778f2ff5671ced2258677e2e40f15be5af572cc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/postinstall.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 96269, "scanner": "repobility-threat-engine", "fingerprint": "b70f82cee3d58d959f5a765a65020fdff1d86616398e76a28d8bb44540454222", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b70f82cee3d58d959f5a765a65020fdff1d86616398e76a28d8bb44540454222"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "pkg/config/messaging.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 96268, "scanner": "repobility-threat-engine", "fingerprint": "4a7228ae1cae2f213fbceef0522e871d4bb5032fa69d396ad78c005cba2cc8a0", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|4a7228ae1cae2f213fbceef0522e871d4bb5032fa69d396ad78c005cba2cc8a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "npm/postinstall.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 96267, "scanner": "repobility-threat-engine", "fingerprint": "236b4c163a857702d3727a75db3a66e33407de48f4fd984e10552fe337404d67", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|236b4c163a857702d3727a75db3a66e33407de48f4fd984e10552fe337404d67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/src/routes/$.tsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 96261, "scanner": "repobility-threat-engine", "fingerprint": "cca271b77cd1542c54cfc2a7dee263a97c40d697cf00176f6124642e38482447", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((m) => `  - ${m.method} ${m.path} references tag \"${m.tag}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cca271b77cd1542c54cfc2a7dee263a97c40d697cf00176f6124642e38482447"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/api-docs/scripts/generate-docs.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96381, "scanner": "repobility-supply-chain", "fingerprint": "1aeb052d8f050c8f463d88da3ab800abb61d69863299354d07531e38f78d393b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1aeb052d8f050c8f463d88da3ab800abb61d69863299354d07531e38f78d393b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 390}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96380, "scanner": "repobility-supply-chain", "fingerprint": "9424488e9be4a3dbbea496c7bae5ca1d3bb02496db6260f4dead3436d9b6c3f4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9424488e9be4a3dbbea496c7bae5ca1d3bb02496db6260f4dead3436d9b6c3f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 361}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96379, "scanner": "repobility-supply-chain", "fingerprint": "98de995b3298aa629e5ae3bd6f45f4edba1778a11d79c2731031a4fd8d733513", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98de995b3298aa629e5ae3bd6f45f4edba1778a11d79c2731031a4fd8d733513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 275}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96378, "scanner": "repobility-supply-chain", "fingerprint": "cadd970ddf4758aeb2c20a6be420249f218f2b836b138479b63db9c19d69f81d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cadd970ddf4758aeb2c20a6be420249f218f2b836b138479b63db9c19d69f81d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 187}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96377, "scanner": "repobility-supply-chain", "fingerprint": "852ef2f5ad57a4431301fd67f5c58f0996044f2311f69605df0b8cb225001a04", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|852ef2f5ad57a4431301fd67f5c58f0996044f2311f69605df0b8cb225001a04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96373, "scanner": "repobility-supply-chain", "fingerprint": "d5b0e5eb5cd7063375f2b78532503f731fccc2e4b66b3d7b5ea0696cc5d369d2", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d5b0e5eb5cd7063375f2b78532503f731fccc2e4b66b3d7b5ea0696cc5d369d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/go.yaml"}, "region": {"startLine": 86}}}]}]}]}