{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `julia-actions/cache` pinned to mutable ref `@v2`: `uses: julia-actions/cache@v2` resolves at workflow", "shortDescription": {"text": "[MINED115] Action `julia-actions/cache` pinned to mutable ref `@v2`: `uses: julia-actions/cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (20"}, "fullDescription": {"text": "Replace with: `uses: julia-actions/cache@<40-char-sha>  # v2` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, ", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1220"}, "properties": {"repository": "Julia-Tempering/Pigeons.jl", "repoUrl": "https://github.com/Julia-Tempering/Pigeons.jl", "branch": "main"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 123088, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 123087, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/cache` pinned to mutable ref `@v2`: `uses: julia-actions/cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123113, "scanner": "repobility-supply-chain", "fingerprint": "cb7cc0567da47cd8dd84b616d0eb0a30f9b09c227f01ec18f669cec97ab9c0e8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cb7cc0567da47cd8dd84b616d0eb0a30f9b09c227f01ec18f669cec97ab9c0e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 171}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/setup-julia` pinned to mutable ref `@v2`: `uses: julia-actions/setup-julia@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123112, "scanner": "repobility-supply-chain", "fingerprint": "d120a9e48dbfa5a188a8691c69cfb9d944d10a63576bde642fc1d9a136336c36", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d120a9e48dbfa5a188a8691c69cfb9d944d10a63576bde642fc1d9a136336c36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 168}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123111, "scanner": "repobility-supply-chain", "fingerprint": "e07be2840fd0ced5be03915c4aa23b4b10d6a9995eb5f363e788195f5d15093e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e07be2840fd0ced5be03915c4aa23b4b10d6a9995eb5f363e788195f5d15093e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123110, "scanner": "repobility-supply-chain", "fingerprint": "7c606be7324f5758a18a5f8b36cf982c10a890754bd8ed2a5d732c847a325bcf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7c606be7324f5758a18a5f8b36cf982c10a890754bd8ed2a5d732c847a325bcf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 163}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/julia-runtest` pinned to mutable ref `@v1`: `uses: julia-actions/julia-runtest@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123109, "scanner": "repobility-supply-chain", "fingerprint": "c4f11109f30262380fc655ced815667edd9c6dcffb96658b928002229f81a158", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c4f11109f30262380fc655ced815667edd9c6dcffb96658b928002229f81a158"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 153}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/cache` pinned to mutable ref `@v2`: `uses: julia-actions/cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123108, "scanner": "repobility-supply-chain", "fingerprint": "a10101819bb1f4cad3b2d669f77578c21a4e7698d1568f0da4098345b0770d7b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a10101819bb1f4cad3b2d669f77578c21a4e7698d1568f0da4098345b0770d7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/setup-julia` pinned to mutable ref `@v2`: `uses: julia-actions/setup-julia@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123107, "scanner": "repobility-supply-chain", "fingerprint": "0f4eead589bffd58dd2b11fd31e21522df97af5d8f4cc07edc46621fe01f89c3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f4eead589bffd58dd2b11fd31e21522df97af5d8f4cc07edc46621fe01f89c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 135}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123106, "scanner": "repobility-supply-chain", "fingerprint": "043e42a7246d5b42b006f045c02ab7e81d1f728ded95ba2dd9cd96afffaf0539", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|043e42a7246d5b42b006f045c02ab7e81d1f728ded95ba2dd9cd96afffaf0539"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 130}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123105, "scanner": "repobility-supply-chain", "fingerprint": "1676bb199fa93660731aef9add10cc201ca6d6ce943177efbf1905d06cb27173", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1676bb199fa93660731aef9add10cc201ca6d6ce943177efbf1905d06cb27173"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/julia-runtest` pinned to mutable ref `@v1`: `uses: julia-actions/julia-runtest@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123104, "scanner": "repobility-supply-chain", "fingerprint": "50c075ca12832a1e2a2ddbef9a5543d929dc3f5270b021e4d14fcd29e02fc14d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50c075ca12832a1e2a2ddbef9a5543d929dc3f5270b021e4d14fcd29e02fc14d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/cache` pinned to mutable ref `@v2`: `uses: julia-actions/cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123103, "scanner": "repobility-supply-chain", "fingerprint": "a3a25050bbcad06733073587af3be1a44457e63d9ab3f3b31638204e2953c9a7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a3a25050bbcad06733073587af3be1a44457e63d9ab3f3b31638204e2953c9a7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/setup-julia` pinned to mutable ref `@v2`: `uses: julia-actions/setup-julia@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123102, "scanner": "repobility-supply-chain", "fingerprint": "b89f9e9936667b11cfec83f66c37464abe82ff4132cf6c5c350fea8385d118af", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b89f9e9936667b11cfec83f66c37464abe82ff4132cf6c5c350fea8385d118af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123101, "scanner": "repobility-supply-chain", "fingerprint": "a88e4838087b3d09f47e4b05af65b796efa1a15c34d28ca89d005e1ead9803e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a88e4838087b3d09f47e4b05af65b796efa1a15c34d28ca89d005e1ead9803e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 75}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123100, "scanner": "repobility-supply-chain", "fingerprint": "0fbaf174468a8fb43e83d27936be3bd59c75b0115b2ff4ae7fc32ab9c777c30f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fbaf174468a8fb43e83d27936be3bd59c75b0115b2ff4ae7fc32ab9c777c30f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v5`: `uses: codecov/codecov-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123099, "scanner": "repobility-supply-chain", "fingerprint": "521b4821e31071a56c7eb5aa727aca0bfc9301a3ec502d352f98c31cb4921761", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|521b4821e31071a56c7eb5aa727aca0bfc9301a3ec502d352f98c31cb4921761"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/julia-processcoverage` pinned to mutable ref `@v1`: `uses: julia-actions/julia-processcoverage@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123098, "scanner": "repobility-supply-chain", "fingerprint": "f0dc9e93e40677c168ec3cb7a56e43886ef51b48b01a26f891e453ae94ab153f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f0dc9e93e40677c168ec3cb7a56e43886ef51b48b01a26f891e453ae94ab153f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/julia-runtest` pinned to mutable ref `@v1`: `uses: julia-actions/julia-runtest@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123097, "scanner": "repobility-supply-chain", "fingerprint": "9b188a15e91b6cc48e98870de65f66dfa819f4ccfbae0f0c6735a5bcce452d8a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9b188a15e91b6cc48e98870de65f66dfa819f4ccfbae0f0c6735a5bcce452d8a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/julia-buildpkg` pinned to mutable ref `@v1`: `uses: julia-actions/julia-buildpkg@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123096, "scanner": "repobility-supply-chain", "fingerprint": "fd36b620f2bbb0190d360d552003865308901acec3e150afdf04ecfabd29c07e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd36b620f2bbb0190d360d552003865308901acec3e150afdf04ecfabd29c07e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/cache` pinned to mutable ref `@v2`: `uses: julia-actions/cache@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123095, "scanner": "repobility-supply-chain", "fingerprint": "020ccc82b0b7e90eb7641f9c31057661d252ff3cb7a13cd9d1ceb3cf36b7987a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|020ccc82b0b7e90eb7641f9c31057661d252ff3cb7a13cd9d1ceb3cf36b7987a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/setup-julia` pinned to mutable ref `@v2`: `uses: julia-actions/setup-julia@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123094, "scanner": "repobility-supply-chain", "fingerprint": "9c217ca025c2cf2afd08dadaa2ebd49ee3a4e98183233a92d5ec045fbeb6734e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c217ca025c2cf2afd08dadaa2ebd49ee3a4e98183233a92d5ec045fbeb6734e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123093, "scanner": "repobility-supply-chain", "fingerprint": "c87e3f44b9acf2bb995c67e4d7bc4a81e0b9ef6de8eea380e87a7e5fa3cd7bed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c87e3f44b9acf2bb995c67e4d7bc4a81e0b9ef6de8eea380e87a7e5fa3cd7bed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v5`: `uses: actions/checkout@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123092, "scanner": "repobility-supply-chain", "fingerprint": "483b55081d3cc76ff10294fc267cb1093a3083d80713f08eb766b4cc34d0fa4e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|483b55081d3cc76ff10294fc267cb1093a3083d80713f08eb766b4cc34d0fa4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `JuliaRegistries/TagBot` pinned to mutable ref `@v1`: `uses: JuliaRegistries/TagBot@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123091, "scanner": "repobility-supply-chain", "fingerprint": "aa20b4122dcad0f0c52b07be859edbcefe0e022550109d81c8f70a40cdc66dc5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|aa20b4122dcad0f0c52b07be859edbcefe0e022550109d81c8f70a40cdc66dc5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/TagBot.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `jgehrcke/github-repo-stats` pinned to mutable ref `@RELEASE`: `uses: jgehrcke/github-repo-stats@RELEASE` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123090, "scanner": "repobility-supply-chain", "fingerprint": "5a88ee630441c73dbae3baf9242444135cc1a333af1c81ebe777c2c25703876a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5a88ee630441c73dbae3baf9242444135cc1a333af1c81ebe777c2c25703876a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/github-repo-stats.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `julia-actions/RegisterAction` pinned to mutable ref `@latest`: `uses: julia-actions/RegisterAction@latest` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 123089, "scanner": "repobility-supply-chain", "fingerprint": "7e5a412f08f2f54d7714ebf543c0ddafa89e93209144d4c879befd733568a165", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7e5a412f08f2f54d7714ebf543c0ddafa89e93209144d4c879befd733568a165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/register.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 123114, "scanner": "repobility-supply-chain", "fingerprint": "d002bd483e07f3a758b8f6839ebbf5dba349972fcd9d69a8e031b0a5329c2efc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d002bd483e07f3a758b8f6839ebbf5dba349972fcd9d69a8e031b0a5329c2efc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/CI.yml"}, "region": {"startLine": 51}}}]}]}]}