{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "security.txt gives researchers and customers a safe disclosure channel. Public web apps and APIs should publish it under /.well-known/security.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "A Content Security Policy reduces the blast radius of injected scripts if the app is ever served through preview, static hosting, or a web container outside its normal sandbox."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Docker images run as root unless the image or Dockerfile switches to a non-root user."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "COPY . or ADD . is safer when .dockerignore excludes secrets, git history, keys, and generated artifacts."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AGT007", "name": "localStorage write failures are swallowed silently", "shortDescription": {"text": "localStorage write failures are swallowed silently"}, "fullDescription": {"text": "localStorage quotas are small and writes can fail. Catching storage errors without a user-visible warning causes silent data loss when notes, images, or snapshots exceed quota."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "humans.txt is optional, but it gives operators and reviewers a simple place to find ownership, contact, and important public documentation links."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "no-new-privileges prevents processes from gaining additional privileges through setuid binaries or file capabilities."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "If the image does not define USER internally, this service may run as root."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": ".dockerignore exists but does not cover common secret or VCS patterns."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 14 (SonarSource scale). Cognitive complexi", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weig"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 14."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED048] Php Error Suppress (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED074", "name": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI halluci", "shortDescription": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED055", "name": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of ", "shortDescription": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1357 / A06:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO ", "shortDescription": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, ra"}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInt", "shortDescription": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "Workflow container/services image `memcached:1.6-alpine` unpinned", "shortDescription": {"text": "Workflow container/services image `memcached:1.6-alpine` unpinned"}, "fullDescription": {"text": "`container/services image: memcached:1.6-alpine` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "Dockerfile FROM `zealphp:local` not pinned by digest", "shortDescription": {"text": "Dockerfile FROM `zealphp:local` not pinned by digest"}, "fullDescription": {"text": "`FROM zealphp:local` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED110", "name": "Blocking call `input` inside async function `main`", "shortDescription": {"text": "Blocking call `input` inside async function `main`"}, "fullDescription": {"text": "`input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine in the process from making progress."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "SEC039", "name": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptogra", "shortDescription": {"text": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretchin"}, "fullDescription": {"text": "Use a purpose-built password hash:\n  - Python: passlib.hash.argon2.hash(password)\n  - Python: bcrypt.hashpw(password.encode(), bcrypt.gensalt())\n  - Python: hashlib.pbkdf2_hmac('sha256', password, salt, 600000)\n  - PHP: password_hash($password, PASSWORD_ARGON2ID)\n  - Node.js: argon2.hash(password) or bcrypt.hash(password, 12)\nWhen rotating, accept both old + new for one session each, then re-hash on next login."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1079"}, "properties": {"repository": "sibidharan/zealphp", "repoUrl": "https://github.com/sibidharan/zealphp", "branch": "master"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 105991, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 105990, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 105981, "scanner": "repobility-docker", "fingerprint": "0081589d01e3090d42adb08627782f21122036dadd7a2f3c27472d37fd2bd8b0", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "zealphp:local", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0081589d01e3090d42adb08627782f21122036dadd7a2f3c27472d37fd2bd8b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/compare-3way/Dockerfile.bench"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 105979, "scanner": "repobility-docker", "fingerprint": "d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "php:8.4-cli-bookworm@sha256:ca4b9f44c281f6214a08313185b306368b9ec1e9a73b54b4625774a254106e1d", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d81054a6ece0a0dc1917f7ea8736be67dc15361d92288b06a29377b3b3ea5a93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 105978, "scanner": "repobility-docker", "fingerprint": "194621bb12299bd68a3af0aa2e784c418164203efff3fe7a76081d95733eec0d", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|194621bb12299bd68a3af0aa2e784c418164203efff3fe7a76081d95733eec0d", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 105976, "scanner": "repobility-threat-engine", "fingerprint": "a94d922db6bde750a67ecbe6424a4be63fc6212fcdd76a80432574b5d28f4f72", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://github.com/sibidharan/zealphp/blob/master/docs/deployment.md#opcache-settings-for-l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|173|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "template/pages/deployment.php"}, "region": {"startLine": 173}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 105975, "scanner": "repobility-threat-engine", "fingerprint": "ba14db55f25c7451a51895a1c8c66f68be6a68346a7d89d16a45592e428febb4", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://deepwiki.com/sibidharan/zealphp\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|template/_nav.php|62|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "template/_nav.php"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 105974, "scanner": "repobility-threat-engine", "fingerprint": "b9bf5bafb6684ab39e53897542f9cabcc883e29bc48f071c9e97d6b834b33016", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "<a href=\"https://github.com/sibidharan/zealphp\" target=\"_blank\">", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|template/_footer.php|8|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "template/_footer.php"}, "region": {"startLine": 8}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 105973, "scanner": "repobility-threat-engine", "fingerprint": "99597d98ac1b6b2adc341d3db4d645d164c5c3fdbb9ec739a45083c36c0a55b1", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ">exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|162|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Session/Handler/RedisSessionHandler.php"}, "region": {"startLine": 162}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 105970, "scanner": "repobility-threat-engine", "fingerprint": "cdb2fc4ebbf9d40731b0dbf6e4c1e683ecb08acbea1264b8ab49815373b66658", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: setup/install wizard (placeholder values)]", "evidence": {"match": "PASSWORD=\"<redacted>\"", "reason": "Low entropy value (3.5 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: setup/install wizard (placeholder values)]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|scripts/app-lab/setup.sh|2|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/app-lab/setup.sh"}, "region": {"startLine": 30}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 105957, "scanner": "repobility-threat-engine", "fingerprint": "6c65ec97c7e7f0684290a84c0af01f11d5fbb9b0b163e7ee270fa706c6bf20fc", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6c65ec97c7e7f0684290a84c0af01f11d5fbb9b0b163e7ee270fa706c6bf20fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/learn-tictactoe.js"}, "region": {"startLine": 195}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 105956, "scanner": "repobility-threat-engine", "fingerprint": "b81f47a912ec0bebd8be7e0392bba58ca5d91e76cac2f922eccbf4fc59e508d0", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b81f47a912ec0bebd8be7e0392bba58ca5d91e76cac2f922eccbf4fc59e508d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/learn-chatroom.js"}, "region": {"startLine": 131}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 105955, "scanner": "repobility-threat-engine", "fingerprint": "cc104abacffe695233f417065365676a81c4e91c88de3620d969a4d5d7b5fb93", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (_) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cc104abacffe695233f417065365676a81c4e91c88de3620d969a4d5d7b5fb93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/demo-shell.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 105927, "scanner": "repobility-threat-engine", "fingerprint": "202b63f7e0252f511b4ea90be0874e1a970f08dde5bfd8b025105c9798efbd80", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'John Doe'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|202b63f7e0252f511b4ea90be0874e1a970f08dde5bfd8b025105c9798efbd80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/zeal/sessleak.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 105926, "scanner": "repobility-threat-engine", "fingerprint": "5d5347d132a03445cecd675562bc4cd3045492fbcd5e5780c1bd0987058470e5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'John Doe'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d5347d132a03445cecd675562bc4cd3045492fbcd5e5780c1bd0987058470e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/swoole/sessleak.php"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 105925, "scanner": "repobility-threat-engine", "fingerprint": "d44e72c4959e867eac99701bca8ca78bce393fbf84a9e7e761070c529d8a57b2", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'John Doe'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d44e72c4959e867eac99701bca8ca78bce393fbf84a9e7e761070c529d8a57b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/swoole/co.php"}, "region": {"startLine": 11}}}]}, {"ruleId": "AGT007", "level": "warning", "message": {"text": "localStorage write failures are swallowed silently"}, "properties": {"repobilityId": 105920, "scanner": "repobility-agent-runtime", "fingerprint": "261020136b683dba912f7b14ee514c80cb02156ca1a951578a3650881503eacc", "category": "quality", "severity": "medium", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File writes to localStorage and has an empty or ignore-only catch block without QuotaExceededError handling.", "evidence": {"rule_id": "AGT007", "scanner": "repobility-agent-runtime", "references": ["https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API"], "correlation_key": "fp|261020136b683dba912f7b14ee514c80cb02156ca1a951578a3650881503eacc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/home.js"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105910, "scanner": "repobility-ast-engine", "fingerprint": "31fa47c6ec596c3faab66c2c5fc5e4cc031908d2a7e5d18dcd2a9b9516804468", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|31fa47c6ec596c3faab66c2c5fc5e4cc031908d2a7e5d18dcd2a9b9516804468"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/tail/tail_bench.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105909, "scanner": "repobility-ast-engine", "fingerprint": "d1c39bf328d54c57b3fb2db8b893f11d02e0d649669a0ea4b8d7c8e2a143ac0b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d1c39bf328d54c57b3fb2db8b893f11d02e0d649669a0ea4b8d7c8e2a143ac0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "labs-bench/tail_bench.py"}, "region": {"startLine": 114}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 105989, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 105987, "scanner": "repobility-docker", "fingerprint": "47407930733d4a6d73aec7e2ea1a6714160d38fed5f45cd9304705b8ac2ad3f4", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "compare", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|47407930733d4a6d73aec7e2ea1a6714160d38fed5f45cd9304705b8ac2ad3f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 105986, "scanner": "repobility-docker", "fingerprint": "65f13681157f2621891920415a4dcb883146fd919f3f560c89d78571b22a985e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "compare", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|65f13681157f2621891920415a4dcb883146fd919f3f560c89d78571b22a985e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 105985, "scanner": "repobility-docker", "fingerprint": "ebc9e12fd86aa7e58378b33a5049f1b8ed75f62e2fe06303ad4c5c01ed78f30a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "bench", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ebc9e12fd86aa7e58378b33a5049f1b8ed75f62e2fe06303ad4c5c01ed78f30a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 105984, "scanner": "repobility-docker", "fingerprint": "94428d82e2cc50d8438f3d6ffa51ab1ad501474119114ba18bc20c1e6489ff6d", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "bench", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|94428d82e2cc50d8438f3d6ffa51ab1ad501474119114ba18bc20c1e6489ff6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 105983, "scanner": "repobility-docker", "fingerprint": "7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7f80983f54868d8bec198a3977b7dcbe8bfb5f2291356d590fb078148e91780d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 105982, "scanner": "repobility-docker", "fingerprint": "2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "app", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2ae03d2ca68f689d193058b7c353aabad57bc3d37942d6a7c1406762df909513"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 105980, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 105960, "scanner": "repobility-threat-engine", "fingerprint": "f79ed9375ab7d06de20f2db22f35c6aad524843bfd7f80445c8f781d288ad7d3", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = r", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|public/js/pages/home.js|108|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/home.js"}, "region": {"startLine": 108}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: else=1, except=1, for=1, if=5, nested_bonus=6."}, "properties": {"repobilityId": 105944, "scanner": "repobility-threat-engine", "fingerprint": "bc91ff219ed46430ec1f8fba5fe613f066f166eea89534d9ac18760eb731f976", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 14 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 5, "for": 1, "else": 1, "except": 1, "nested_bonus": 6}, "complexity": 14, "correlation_key": "fp|bc91ff219ed46430ec1f8fba5fe613f066f166eea89534d9ac18760eb731f976"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agents/chat_agent.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `run_rate` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: break=1, else=1, if=5, nested_bonus=4, while=1."}, "properties": {"repobilityId": 105943, "scanner": "repobility-threat-engine", "fingerprint": "a23fe4a88f1dae00640a6a92c8768c7e7db496291485f234514dc5ce213ef9f0", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 12 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "run_rate", "breakdown": {"if": 5, "else": 1, "break": 1, "while": 1, "nested_bonus": 4}, "complexity": 12, "correlation_key": "fp|a23fe4a88f1dae00640a6a92c8768c7e7db496291485f234514dc5ce213ef9f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/tail/tail_bench.py"}, "region": {"startLine": 75}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `main` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: for=4, if=3, nested_bonus=5, ternary=1."}, "properties": {"repobilityId": 105942, "scanner": "repobility-threat-engine", "fingerprint": "5f93d57204e7c41209a2be92b5ff5b63b41ab8065e0ad44a14ac0820dd73d0a1", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 13 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 3, "for": 4, "ternary": 1, "nested_bonus": 5}, "complexity": 13, "correlation_key": "fp|5f93d57204e7c41209a2be92b5ff5b63b41ab8065e0ad44a14ac0820dd73d0a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/tail/tail_bench.py"}, "region": {"startLine": 187}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105908, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ecda033da1091a94ec828095f0dd424167814026f2a58e2989e7dccf957c1f04", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/CacheControlMiddlewareTest.php", "duplicate_line": 14, "correlation_key": "fp|ecda033da1091a94ec828095f0dd424167814026f2a58e2989e7dccf957c1f04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/MimeTypeMiddlewareTest.php"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105907, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c3c88a1c8cbb0f91888b2997cbe1c6250a3d864c6920b7f2b59712fecba029f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/MergeSlashesMiddlewareTest.php", "duplicate_line": 4, "correlation_key": "fp|6c3c88a1c8cbb0f91888b2997cbe1c6250a3d864c6920b7f2b59712fecba029f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/Middleware/MergeSlashesMiddlewareTest.php"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105906, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7fa66f11f9a4b66dcbfd95dbe30250c83514125358fe40dddb256219dfbb6a75", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/LifecycleModeTest.php", "duplicate_line": 80, "correlation_key": "fp|7fa66f11f9a4b66dcbfd95dbe30250c83514125358fe40dddb256219dfbb6a75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/LifecycleModesMatrixTest.php"}, "region": {"startLine": 34}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105905, "scanner": "repobility-ai-code-hygiene", "fingerprint": "252c01d05af4f7dc47585f606875078f979fdde8c9042be18f44b07b695ca9b6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/HTTP/ResponseExtraTest.php", "duplicate_line": 10, "correlation_key": "fp|252c01d05af4f7dc47585f606875078f979fdde8c9042be18f44b07b695ca9b6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/HTTP/ResponseTest.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105904, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f1a42cad2857c968b4ae937fe2ad4d3b5304ed146bd89422114323b2b1389a76", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/CacheControlMiddlewareTest.php", "duplicate_line": 14, "correlation_key": "fp|f1a42cad2857c968b4ae937fe2ad4d3b5304ed146bd89422114323b2b1389a76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/ExpiresMiddlewareTest.php"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105903, "scanner": "repobility-ai-code-hygiene", "fingerprint": "45a444ae0e5bb7d0e1c12b905fcd7cb00799465243348ffd6d44fcaf5c7fb2e6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/CacheControlMiddlewareTest.php", "duplicate_line": 14, "correlation_key": "fp|45a444ae0e5bb7d0e1c12b905fcd7cb00799465243348ffd6d44fcaf5c7fb2e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/ContentLanguageMiddlewareTest.php"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105902, "scanner": "repobility-ai-code-hygiene", "fingerprint": "577b4ddfaae0cc1202b7a2249d0b4a45b17dbba9c46e1752f02e039b6e2174a9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/CacheControlMiddlewareTest.php", "duplicate_line": 14, "correlation_key": "fp|577b4ddfaae0cc1202b7a2249d0b4a45b17dbba9c46e1752f02e039b6e2174a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/ContentEncodingMiddlewareTest.php"}, "region": {"startLine": 14}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105901, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8911018e0eae439d7aaee1d4738328480dcdc43acba173a2cb59a46164223d74", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/CgiHotfixTest.php", "duplicate_line": 20, "correlation_key": "fp|8911018e0eae439d7aaee1d4738328480dcdc43acba173a2cb59a46164223d74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/CgiWorkerTest.php"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105900, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4126e3788579b2eaf8a0ac5e92990cc9515dbe417d761e1660ece6b902911554", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/CGI/CgiSubprocessTest.php", "duplicate_line": 16, "correlation_key": "fp|4126e3788579b2eaf8a0ac5e92990cc9515dbe417d761e1660ece6b902911554"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/CgiHotfixTest.php"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105899, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0ce0e3c7f70befdd0ffafc9febd5bb81ea4681b4eabf0400b9724c958e32b1bb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/CgiBackendDispatchTest.php", "duplicate_line": 45, "correlation_key": "fp|0ce0e3c7f70befdd0ffafc9febd5bb81ea4681b4eabf0400b9724c958e32b1bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/CgiFcgiDispatchTest.php"}, "region": {"startLine": 45}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105898, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8bff09d06fd4b6a970e28e54884642776b921bb479821fa23ffab5c12d0bb444", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Unit/CGI/ForkServerTest.php", "duplicate_line": 59, "correlation_key": "fp|8bff09d06fd4b6a970e28e54884642776b921bb479821fa23ffab5c12d0bb444"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Unit/CGI/ForkWatchdogTest.php"}, "region": {"startLine": 46}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105897, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4111c3ce85c5eafacf1b5b64a6c481e6779f31df09f4c9e0a8da360e2c42fbcc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "scripts/isolation/concurrent-driver.php", "duplicate_line": 20, "correlation_key": "fp|4111c3ce85c5eafacf1b5b64a6c481e6779f31df09f4c9e0a8da360e2c42fbcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Integration/TrustBarIsolationTest.php"}, "region": {"startLine": 68}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105896, "scanner": "repobility-ai-code-hygiene", "fingerprint": "aadfc100830d685163c6ad48f020da4a78a0801ef60ab57c115fbeefb50c9bb6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Integration/CgiSessionPersistenceTest.php", "duplicate_line": 44, "correlation_key": "fp|aadfc100830d685163c6ad48f020da4a78a0801ef60ab57c115fbeefb50c9bb6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Integration/SuperglobalsParityTest.php"}, "region": {"startLine": 27}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105895, "scanner": "repobility-ai-code-hygiene", "fingerprint": "67325747f5782c3350ce983a8c4028ddc510f004f05afef0f5f91ab62405b618", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Integration/HostHeaderConformanceTest.php", "duplicate_line": 8, "correlation_key": "fp|67325747f5782c3350ce983a8c4028ddc510f004f05afef0f5f91ab62405b618"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Integration/Http1FramingConformanceTest.php"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105894, "scanner": "repobility-ai-code-hygiene", "fingerprint": "accd25ce64def24956ccbd06856d729e1fd6d13959bab7c45994f939fb4b3be5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tests/Integration/CoroutineIsolationContractTest.php", "duplicate_line": 30, "correlation_key": "fp|accd25ce64def24956ccbd06856d729e1fd6d13959bab7c45994f939fb4b3be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/Integration/CoroutineLegacyBehaviorTest.php"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105893, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2a3fb3d0fa1b6119201a6c77215a1ffdad6a4356967a0dcec7f0d59428fed13a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/fork_master.php", "duplicate_line": 48, "correlation_key": "fp|2a3fb3d0fa1b6119201a6c77215a1ffdad6a4356967a0dcec7f0d59428fed13a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/pool_worker.php"}, "region": {"startLine": 123}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105892, "scanner": "repobility-ai-code-hygiene", "fingerprint": "046914ee9f8af2da5770ebe97661faf858655e90070c70a7fabb67c0ccf12a01", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Db/DbConnectionPool.php", "duplicate_line": 86, "correlation_key": "fp|046914ee9f8af2da5770ebe97661faf858655e90070c70a7fabb67c0ccf12a01"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Store/RedisConnectionPool.php"}, "region": {"startLine": 48}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105891, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ddb8aac035224e725d0b535e71c4eaa6498544cae03d66876520613ab1f1c0a5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Counter/MemcachedCounterBackend.php", "duplicate_line": 104, "correlation_key": "fp|ddb8aac035224e725d0b535e71c4eaa6498544cae03d66876520613ab1f1c0a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Store/MemcachedBackend.php"}, "region": {"startLine": 154}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105890, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5bde234b9f53149b9160e864b50c823baf33d87425fa9490b1f0cde56bea6e2a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Counter.php", "duplicate_line": 122, "correlation_key": "fp|5bde234b9f53149b9160e864b50c823baf33d87425fa9490b1f0cde56bea6e2a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Store.php"}, "region": {"startLine": 115}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105889, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d82862b3521c150a233189fcb512131b90905e96856d2e871781881daa8c82c7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Session/CoSessionManager.php", "duplicate_line": 32, "correlation_key": "fp|d82862b3521c150a233189fcb512131b90905e96856d2e871781881daa8c82c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Session/SessionManager.php"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105888, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a00c24bb4cf38bc6e401fea4ca374332fc3270f6be16add207e73eccd70922d7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/Session/Handler/RedisSessionHandler.php", "duplicate_line": 89, "correlation_key": "fp|a00c24bb4cf38bc6e401fea4ca374332fc3270f6be16add207e73eccd70922d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Session/Handler/TableSessionHandler.php"}, "region": {"startLine": 207}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105887, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c295083af8c775cc16f360e72ef8271a750d11514536a0b78bc0f247f4cb2e07", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "src/HTTP/Client/NetworkException.php", "duplicate_line": 6, "correlation_key": "fp|c295083af8c775cc16f360e72ef8271a750d11514536a0b78bc0f247f4cb2e07"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/HTTP/Client/RequestException.php"}, "region": {"startLine": 6}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105886, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a8b5667fd3dd987f2e2c3537d56bfad84a62c5e9f4333763711fde1571b7c06", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/js/demo-shell.js", "duplicate_line": 24, "correlation_key": "fp|6a8b5667fd3dd987f2e2c3537d56bfad84a62c5e9f4333763711fde1571b7c06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/site-nav.js"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105885, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a66fb0ed2317255df8179f3af587064d2f90522cd507a975218b04240b8dcf96", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/js/pages/pubsub.js", "duplicate_line": 1, "correlation_key": "fp|a66fb0ed2317255df8179f3af587064d2f90522cd507a975218b04240b8dcf96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/store.js"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105884, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6c967f7edd0918e3c2fc931f62fbc63d5aaa958ce9d7947269fe07ce4b88c7e0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/js/pages/legacy-apps.js", "duplicate_line": 1, "correlation_key": "fp|6c967f7edd0918e3c2fc931f62fbc63d5aaa958ce9d7947269fe07ce4b88c7e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/migration.js"}, "region": {"startLine": 2}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105883, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c258819449d5dbdd87cafc47f3d77ffedc3731de6bf3d1667d7daf9e37615edd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "bench/tail/tail_bench.py", "duplicate_line": 1, "correlation_key": "fp|c258819449d5dbdd87cafc47f3d77ffedc3731de6bf3d1667d7daf9e37615edd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "labs-bench/tail_bench.py"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105882, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0c07cc32d8cf6da97cbff5d4ee6efddf11f4ab6469089c79466c5f6fa686214c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/swoole/process.php", "duplicate_line": 6, "correlation_key": "fp|0c07cc32d8cf6da97cbff5d4ee6efddf11f4ab6469089c79466c5f6fa686214c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/zeal/coproc_test.php"}, "region": {"startLine": 7}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 105881, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7daeba987637c99d2bb4636c0c7a2225b445a8811b1cd08b94d9b99a03f146ec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "api/learn/login.php", "duplicate_line": 9, "correlation_key": "fp|7daeba987637c99d2bb4636c0c7a2225b445a8811b1cd08b94d9b99a03f146ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/learn/register.php"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 105977, "scanner": "repobility-threat-engine", "fingerprint": "5da30219d5587b603828c2620444e139b089a3522fe8ad878bc1e076181451f1", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|5da30219d5587b603828c2620444e139b089a3522fe8ad878bc1e076181451f1"}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 105967, "scanner": "repobility-threat-engine", "fingerprint": "d91c2df0fc000ffebe96fdce59f0b379a8911e3739e682d60873cb4d973a0b49", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d91c2df0fc000ffebe96fdce59f0b379a8911e3739e682d60873cb4d973a0b49", "aggregated_count": 13}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 105966, "scanner": "repobility-threat-engine", "fingerprint": "3a1493f4c542aebbec6afa7c3b50312d4ebd498c81752a2ae897b3ba65908177", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a1493f4c542aebbec6afa7c3b50312d4ebd498c81752a2ae897b3ba65908177"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fork_stress.php"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 105965, "scanner": "repobility-threat-engine", "fingerprint": "cdc0c9bee4466305add1a88e8130f1044fee628bf300b73ac062537e14226061", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cdc0c9bee4466305add1a88e8130f1044fee628bf300b73ac062537e14226061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench-fcgi-proc.php"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 105964, "scanner": "repobility-threat-engine", "fingerprint": "5ddcf24bb2858c73859a927b862567fc5bf0e0df22dadd977cd53e1acad13f8b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5ddcf24bb2858c73859a927b862567fc5bf0e0df22dadd977cd53e1acad13f8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/bench-fcgi-pool.php"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 105963, "scanner": "repobility-threat-engine", "fingerprint": "c05192f5f07be2e20f9b514d8b5d70b558962c031c6e45757d7f8c1e22282b5a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c05192f5f07be2e20f9b514d8b5d70b558962c031c6e45757d7f8c1e22282b5a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/migration.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED074", "level": "none", "message": {"text": "[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination."}, "properties": {"repobilityId": 105962, "scanner": "repobility-threat-engine", "fingerprint": "901a3883564d0918cc402f3b512d7af4dd53649f0df0263e8096aed0cb80c41a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ai-tell-fake-citation", "owasp": null, "cwe_ids": [], "languages": ["python", "javascript", "typescript", "markdown"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348074+00:00", "triaged_in_corpus": 10, "observations_count": 12281, "ai_coder_pattern_id": 176}, "scanner": "repobility-threat-engine", "correlation_key": "fp|901a3883564d0918cc402f3b512d7af4dd53649f0df0263e8096aed0cb80c41a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/legacy-apps.js"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 105961, "scanner": "repobility-threat-engine", "fingerprint": "a8b35434053af64ab98b892aa018c6015a47586a90255c41a6110a6d94f1ea09", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a8b35434053af64ab98b892aa018c6015a47586a90255c41a6110a6d94f1ea09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/pages/home.js"}, "region": {"startLine": 35}}}]}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 105958, "scanner": "repobility-threat-engine", "fingerprint": "2949c2702d7166dac258164d4c52ef70add92ecb6c82892fbc20aaf8046756af", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2949c2702d7166dac258164d4c52ef70add92ecb6c82892fbc20aaf8046756af"}}}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 105953, "scanner": "repobility-threat-engine", "fingerprint": "e86f7363e5804898e94c82d477463c08d7a3d30c190d5c5e0c19f7b9144df5b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e86f7363e5804898e94c82d477463c08d7a3d30c190d5c5e0c19f7b9144df5b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agents/streaming_agent.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 105952, "scanner": "repobility-threat-engine", "fingerprint": "821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|821cba61ed8ca9932fa4a20b298f5d896106f8bf2152c246419c88b94424b756"}}}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 105948, "scanner": "repobility-threat-engine", "fingerprint": "3b8bdfa24d9cd4eada667c5ab194f5f0f33c5c1c752fd97f422f5be107cdde74", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b8bdfa24d9cd4eada667c5ab194f5f0f33c5c1c752fd97f422f5be107cdde74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agents/chat_agent.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 105947, "scanner": "repobility-threat-engine", "fingerprint": "a89c4db3745f04c659989b66559964522e700cc045e018e7136c7d41562576ca", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Environment variable or config lookup (credentials loaded safely)", "evidence": {"match": "print(\"<p>Script: \" + os.environ.get(\"SCRIPT_FILENAME\", \"unknown\")", "reason": "Environment variable or config lookup (credentials loaded safely)", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|1|print p script: + os.environ.get script_filename unknown"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/multi-lang-cgi/public/hello.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 105946, "scanner": "repobility-threat-engine", "fingerprint": "3d0ad466241ff4186004f7b080cc169ee2228f05b37a54ae1eab560e7dd247e1", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"event: token\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|15|print event: token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agents/chat_agent.py"}, "region": {"startLine": 159}}}]}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 105945, "scanner": "repobility-threat-engine", "fingerprint": "7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "main", "breakdown": {"if": 3, "for": 4, "ternary": 1, "nested_bonus": 5}, "aggregated": true, "complexity": 13, "correlation_key": "fp|7195ad2ed9d17b05fb3343deb30e489e47b88806e32e44e36b1ae21ff4fb7c7d", "aggregated_count": 6}}}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 105941, "scanner": "repobility-threat-engine", "fingerprint": "77fc383b0fb8508b589022e876a40d8d9a986c8409e77e85486520c7a2bbaf21", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|77fc383b0fb8508b589022e876a40d8d9a986c8409e77e85486520c7a2bbaf21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "labs-bench/tail_bench.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED055", "level": "none", "message": {"text": "[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci."}, "properties": {"repobilityId": 105940, "scanner": "repobility-threat-engine", "fingerprint": "636c299058e867933e9332c86c25ac2996a3635d2f2db68ef670cb06d3516edd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "npm-install-no-lockfile", "owasp": "A06:2021", "cwe_ids": ["CWE-1357"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348030+00:00", "triaged_in_corpus": 12, "observations_count": 317602, "ai_coder_pattern_id": 42}, "scanner": "repobility-threat-engine", "correlation_key": "fp|636c299058e867933e9332c86c25ac2996a3635d2f2db68ef670cb06d3516edd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/tail/tail_bench.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 105939, "scanner": "repobility-threat-engine", "fingerprint": "b1b309718b4a47b9248df8af0898737299518dfd8254425292ae5620b3a05de9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b1b309718b4a47b9248df8af0898737299518dfd8254425292ae5620b3a05de9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fuzz/send_raw.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 105938, "scanner": "repobility-threat-engine", "fingerprint": "30546301adc555d6f356b13ece764f51b59693758214bd83ed94399e5cb72605", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30546301adc555d6f356b13ece764f51b59693758214bd83ed94399e5cb72605"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "labs-bench/tail_bench.py"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 105937, "scanner": "repobility-threat-engine", "fingerprint": "c81d68dcad19d61010ce3b974e7b338bcaa79db003e8b261853104ff85cae08c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c81d68dcad19d61010ce3b974e7b338bcaa79db003e8b261853104ff85cae08c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/tail/tail_bench.py"}, "region": {"startLine": 257}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 105931, "scanner": "repobility-threat-engine", "fingerprint": "cb9e8285ca55c3465177cab48d4b58e9827988e1a6ca7d858951768502fa93ad", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cb9e8285ca55c3465177cab48d4b58e9827988e1a6ca7d858951768502fa93ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "node_bench.js"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 105930, "scanner": "repobility-threat-engine", "fingerprint": "b8c7637b04a385be8aafebc32d5ce2f40d949ed5ab08a4824e9571a4bfac263c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b8c7637b04a385be8aafebc32d5ce2f40d949ed5ab08a4824e9571a4bfac263c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/compare-3way/node_raw.js"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 105929, "scanner": "repobility-threat-engine", "fingerprint": "22c21b664973fcdf7cb638c58f29bc4bf8b15c3adc222052fa71f89d2884c28b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|22c21b664973fcdf7cb638c58f29bc4bf8b15c3adc222052fa71f89d2884c28b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/compare-3way/node_express.js"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 105928, "scanner": "repobility-threat-engine", "fingerprint": "2fc2352ee79a239983bde3b99e3e602f191c3f964939343206bb75ac755d22c0", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|2fc2352ee79a239983bde3b99e3e602f191c3f964939343206bb75ac755d22c0"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 105924, "scanner": "repobility-threat-engine", "fingerprint": "133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|133d0321df668823d68fda7a262cc53d13053f2174d79a753e1fabffb7f20eec", "aggregated_count": 4}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 105923, "scanner": "repobility-threat-engine", "fingerprint": "f2cfddd854d6c3534eedfdd13f3fde940eba224863b0e0008a086edafe26ea94", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2cfddd854d6c3534eedfdd13f3fde940eba224863b0e0008a086edafe26ea94"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/coroutine.php"}, "region": {"startLine": 10}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 105922, "scanner": "repobility-threat-engine", "fingerprint": "fd31e75591392ad5f7bcc1bde8c16cc17985499ecbef2f724df201486199b931", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fd31e75591392ad5f7bcc1bde8c16cc17985499ecbef2f724df201486199b931"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/tail/tail_bench.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 105921, "scanner": "repobility-threat-engine", "fingerprint": "63e1bd54862be0ef23d5d3b739c957ca10da3cc8acfe40a91ffc0dbf9cb12716", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|63e1bd54862be0ef23d5d3b739c957ca10da3cc8acfe40a91ffc0dbf9cb12716"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "api/php/coroutine_test.php"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 105969, "scanner": "repobility-threat-engine", "fingerprint": "524c4f581333c2633057f925591235267016965e3cf1ce5c4ac528bd49317505", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|524c4f581333c2633057f925591235267016965e3cf1ce5c4ac528bd49317505"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Middleware/BasicAuthMiddleware.php"}, "region": {"startLine": 148}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 105968, "scanner": "repobility-threat-engine", "fingerprint": "b5bea859e2a5080cbb82b46b5a8f7e6ec779da2863b334b0031d1bd60d3d9409", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b5bea859e2a5080cbb82b46b5a8f7e6ec779da2863b334b0031d1bd60d3d9409"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "route/convert.php"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 105959, "scanner": "repobility-threat-engine", "fingerprint": "a53d776cf7f9268f694e5a4e6e4828821089612ad4d6c26f3e67d17cf6709be5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "typingUsers.delete(user);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a53d776cf7f9268f694e5a4e6e4828821089612ad4d6c26f3e67d17cf6709be5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/learn-chatroom.js"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 105954, "scanner": "repobility-threat-engine", "fingerprint": "b4c96be3e2ceb1e4222b987b9f8ce0b6f0d57ce1f156a81a1b4dfb2dddff66ca", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "header('Access-Control-Allow-Origin: *'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b4c96be3e2ceb1e4222b987b9f8ce0b6f0d57ce1f156a81a1b4dfb2dddff66ca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/lamp-scaffold/public/api/users.php"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 105951, "scanner": "repobility-threat-engine", "fingerprint": "9a01255ea76c1330e2e3d5f5d587ba0cf0a71d506dcf9c98bd83e93d7328ddf6", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url(G", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9a01255ea76c1330e2e3d5f5d587ba0cf0a71d506dcf9c98bd83e93d7328ddf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "route/_error_test.php"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 105950, "scanner": "repobility-threat-engine", "fingerprint": "d3954cf5caf32f1651ea1225298b4a183a7eb8b261ec95440bd369df62292457", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(l", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d3954cf5caf32f1651ea1225298b4a183a7eb8b261ec95440bd369df62292457"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/js/learn-tictactoe.js"}, "region": {"startLine": 211}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 105949, "scanner": "repobility-threat-engine", "fingerprint": "3d007ed6d317a47b4efa9bfeb4cc49a1b283230371557bef957eedec4e212b14", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3d007ed6d317a47b4efa9bfeb4cc49a1b283230371557bef957eedec4e212b14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agents/notes_agent.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 105936, "scanner": "repobility-threat-engine", "fingerprint": "a67160deb3b918b9dcd0aa7fc0acb10360ca94c2e5f0f10b84ecaebd19f64def", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a67160deb3b918b9dcd0aa7fc0acb10360ca94c2e5f0f10b84ecaebd19f64def"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "labs-bench/tail_bench.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 105935, "scanner": "repobility-threat-engine", "fingerprint": "1a0245d491f6a204030f05e2c43c35561d2004f0fde2f3f9aefe46595912e78e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a0245d491f6a204030f05e2c43c35561d2004f0fde2f3f9aefe46595912e78e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/tail/tail_bench.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 105934, "scanner": "repobility-threat-engine", "fingerprint": "b99577e9b5c07b5d21e33b5d153b517c1512699c44d19668863793a5be23a980", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b99577e9b5c07b5d21e33b5d153b517c1512699c44d19668863793a5be23a980"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "scripts/fuzz/send_raw.py"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 105933, "scanner": "repobility-threat-engine", "fingerprint": "b761ad682bb5516677b42f4dbad77ebbfef96d010f946e40a95442b228771f2e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b761ad682bb5516677b42f4dbad77ebbfef96d010f946e40a95442b228771f2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "labs-bench/tail_bench.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 105932, "scanner": "repobility-threat-engine", "fingerprint": "bc57e190263a16802cd2a986cbfe6ede6afa1f628fe0d50480b16a1b6250d864", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bc57e190263a16802cd2a986cbfe6ede6afa1f628fe0d50480b16a1b6250d864"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/tail/tail_bench.py"}, "region": {"startLine": 256}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `memcached:1.6-alpine` unpinned"}, "properties": {"repobilityId": 105919, "scanner": "repobility-supply-chain", "fingerprint": "442884ba1dbd7a68f974d166529d5534a2e9a7fb9b5acbe06ae585df2e827c4c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|442884ba1dbd7a68f974d166529d5534a2e9a7fb9b5acbe06ae585df2e827c4c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mutation.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `valkey/valkey:7-alpine` unpinned"}, "properties": {"repobilityId": 105918, "scanner": "repobility-supply-chain", "fingerprint": "842850ab3bd95776e0f27b70f659401b62386314bdd86db0ff9a5e60e0a33867", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|842850ab3bd95776e0f27b70f659401b62386314bdd86db0ff9a5e60e0a33867"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/mutation.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `mariadb:11` unpinned"}, "properties": {"repobilityId": 105917, "scanner": "repobility-supply-chain", "fingerprint": "27145c14a1667364ef332656df83a3ef2959dbbc8e60a211fcf4f2bc77204529", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27145c14a1667364ef332656df83a3ef2959dbbc8e60a211fcf4f2bc77204529"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `memcached:1.6-alpine` unpinned"}, "properties": {"repobilityId": 105916, "scanner": "repobility-supply-chain", "fingerprint": "7eeaafcd7b26853e027317657d13664fd603e4aedbd2a92ff7d855fa092c49d8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7eeaafcd7b26853e027317657d13664fd603e4aedbd2a92ff7d855fa092c49d8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "Workflow container/services image `valkey/valkey:7-alpine` unpinned"}, "properties": {"repobilityId": 105915, "scanner": "repobility-supply-chain", "fingerprint": "f75fd46040069785898e10136c9ab15ca5aa97d892fb81c8cc50431504a8e84b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f75fd46040069785898e10136c9ab15ca5aa97d892fb81c8cc50431504a8e84b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "Dockerfile FROM `zealphp:local` not pinned by digest"}, "properties": {"repobilityId": 105913, "scanner": "repobility-supply-chain", "fingerprint": "9cdbd0e730b6b088fe13010abc99641b7b7c40c289b41942b766362efd87899a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9cdbd0e730b6b088fe13010abc99641b7b7c40c289b41942b766362efd87899a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "bench/compare-3way/Dockerfile.bench"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `input` inside async function `main`"}, "properties": {"repobilityId": 105912, "scanner": "repobility-ast-engine", "fingerprint": "75454912dec6f227989fd8da15cb3822fdcf9ff7e31fb4385f3ac16f024dd492", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|75454912dec6f227989fd8da15cb3822fdcf9ff7e31fb4385f3ac16f024dd492"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agents/streaming_agent.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "MINED110", "level": "error", "message": {"text": "Blocking call `input` inside async function `main`"}, "properties": {"repobilityId": 105911, "scanner": "repobility-ast-engine", "fingerprint": "6fe8a12d6380ddb5a384ddec53102d024f56d0d30d33749dd6eea0525a011344", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "asyncio-blocking-call", "owasp": null, "cwe_ids": ["CWE-833"], "languages": ["python"], "observations_count": 31606}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6fe8a12d6380ddb5a384ddec53102d024f56d0d30d33749dd6eea0525a011344"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/agents/config_converter.py"}, "region": {"startLine": 2951}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 105988, "scanner": "gitleaks", "fingerprint": "2ba28b6c98534676366da7e77a2dce807665fb71cd2dc0e9473db223b5d0e4f1", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "nSec-WebSocket-Key: REDACTED\\r", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|token|292|nsec-websocket-key: redacted r"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/superpowers/plans/2026-05-14-learn-section.md"}, "region": {"startLine": 2929}}}]}, {"ruleId": "SEC039", "level": "error", "message": {"text": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretching. Attackers with the hash database can crack 90%+ of common passwords offline in hours. CWE-916 (use of password hash without computational effort)."}, "properties": {"repobilityId": 105972, "scanner": "repobility-threat-engine", "fingerprint": "4f06b17fa6cc2709341f13a0305b767811cb9b42834b5eede54a23125f45bd56", "category": "crypto", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "md5($password", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC039", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|234|sec039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Middleware/BasicAuthMiddleware.php"}, "region": {"startLine": 234}}}]}, {"ruleId": "SEC039", "level": "error", "message": {"text": "[SEC039] Plaintext-equivalent password hash \u2014 unsalted single-pass digest: Single-pass digest of a password is cryptographically strong as a hash, but is rainbow-table-attackable when used for passwords: there's no salt and no key-stretching. Attackers with the hash database can crack 90%+ of common passwords offline in hours. CWE-916 (use of password hash without computational effort)."}, "properties": {"repobilityId": 105971, "scanner": "repobility-threat-engine", "fingerprint": "9bbea9d08449729a5a287a44606d076ff9c0a83e18008bb7262c1ea2945fe047", "category": "crypto", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "hash($password", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC039", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|src/learn/auth.php|24|sec039"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Learn/Auth.php"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 105914, "scanner": "repobility-supply-chain", "fingerprint": "751435fdb025cb226dc4321522f5ec88235653948d63773a88a746feb71b0ee8", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|751435fdb025cb226dc4321522f5ec88235653948d63773a88a746feb71b0ee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 244}}}]}]}]}