{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `compare_results` has cognitive complexity 21 (SonarSource scale). Cogniti", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `compare_results` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursi"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 21."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "Bare except continues silently", "shortDescription": {"text": "Bare except continues silently"}, "fullDescription": {"text": "Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED003", "name": "[MINED003] Rust Unwrap In Prod (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED003] Rust Unwrap In Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `actions/upload-artifact` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED131", "name": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`", "shortDescription": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`"}, "fullDescription": {"text": "`.pre-commit-config.yaml` references `https://github.com/pre-commit/pre-commit-hooks` at `rev: v6.0.0`. If `{rev}` is a branch or version tag, the repo owner can push new code there and `pre-commit install --install-hooks` will fetch it on every developer's machine."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger", "shortDescription": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "fullDescription": {"text": "This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1078"}, "properties": {"repository": "uutils/grep", "repoUrl": "https://github.com/uutils/grep", "branch": "main"}, "results": [{"ruleId": "COMP001", "level": "warning", "message": {"text": "[COMP001] High cognitive complexity: Function `compare_results` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=4, else=2, except=2, for=2, if=7, nested_bonus=4."}, "properties": {"repobilityId": 105880, "scanner": "repobility-threat-engine", "fingerprint": "cb15ec8d2504ca04286a4866671481b23a93a682907f1c22363892e148abb10b", "category": "quality", "severity": "medium", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 21 (severity threshold for medium: 15+).", "evidence": {"scanner": "repobility-threat-engine", "function": "compare_results", "breakdown": {"if": 7, "and": 4, "for": 2, "else": 2, "except": 2, "nested_bonus": 4}, "complexity": 21, "correlation_key": "fp|cb15ec8d2504ca04286a4866671481b23a93a682907f1c22363892e148abb10b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "util/compare_test_results.py"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105848, "scanner": "repobility-ast-engine", "fingerprint": "5873678dff0b3894a2b04de1dbf8ec6e3f142a33fdf2e7d831ca9975bade3db3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5873678dff0b3894a2b04de1dbf8ec6e3f142a33fdf2e7d831ca9975bade3db3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "util/compare_test_results.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "Bare except continues silently"}, "properties": {"repobilityId": 105847, "scanner": "repobility-ast-engine", "fingerprint": "3618ccf483ac54473e05ca40237472c7d848cf68a3eb881fe0762bb6e40d240e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|3618ccf483ac54473e05ca40237472c7d848cf68a3eb881fe0762bb6e40d240e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "util/compare_test_results.py"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED003", "level": "none", "message": {"text": "[MINED003] Rust Unwrap In Prod (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 105879, "scanner": "repobility-threat-engine", "fingerprint": "f479ee098628a96191aa92863a83c0639a4ec73ea4f699cae980a187da22d83a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|f479ee098628a96191aa92863a83c0639a4ec73ea4f699cae980a187da22d83a", "aggregated_count": 1}}}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 105878, "scanner": "repobility-threat-engine", "fingerprint": "55a576039720b3bd2b85a72f17578fe255f331a643978935cb17dae9be8a0311", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|55a576039720b3bd2b85a72f17578fe255f331a643978935cb17dae9be8a0311"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fuzz/uufuzz/examples/integration_testing.rs"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 105877, "scanner": "repobility-threat-engine", "fingerprint": "e96ac7a2957214f442b2647ac98ac85d429a5c5fb799ba3659b07aa1a74261e5", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e96ac7a2957214f442b2647ac98ac85d429a5c5fb799ba3659b07aa1a74261e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "fuzz/fuzz_targets/fuzz_grep.rs"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED003", "level": "error", "message": {"text": "[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere."}, "properties": {"repobilityId": 105876, "scanner": "repobility-threat-engine", "fingerprint": "39036c45903fd94efe16a60641b89ee8378deced3c03666123d95d68060c1668", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "rust-unwrap-in-prod", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["rust"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347903+00:00", "triaged_in_corpus": 15, "observations_count": 386515, "ai_coder_pattern_id": 111}, "scanner": "repobility-threat-engine", "correlation_key": "fp|39036c45903fd94efe16a60641b89ee8378deced3c03666123d95d68060c1668"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "benches/grep_bench.rs"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/upload-artifact` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 105875, "scanner": "repobility-supply-chain", "fingerprint": "9326b2e0be85742bb43a94ab40933ec008c0c1af07660d1fd2b45a1500ca3956", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9326b2e0be85742bb43a94ab40933ec008c0c1af07660d1fd2b45a1500ca3956"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fuzzing.yml"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `taiki-e/install-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 105874, "scanner": "repobility-supply-chain", "fingerprint": "3cf4a5b444e5380b2130fd24a78e1c6447c38e1d9d4e821852c4e65fcabd2709", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3cf4a5b444e5380b2130fd24a78e1c6447c38e1d9d4e821852c4e65fcabd2709"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fuzzing.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 105873, "scanner": "repobility-supply-chain", "fingerprint": "c7d2c3a97ebb356970cfa1ca87e40c7b06f9c6e1f55d7a5c4931274b204067d6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7d2c3a97ebb356970cfa1ca87e40c7b06f9c6e1f55d7a5c4931274b204067d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fuzzing.yml"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 105872, "scanner": "repobility-supply-chain", "fingerprint": "3ef1780a00b0756626ac8578a8e9d99b8eab020c4823c5d7532dbe94ce0c530e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3ef1780a00b0756626ac8578a8e9d99b8eab020c4823c5d7532dbe94ce0c530e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fuzzing.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `taiki-e/install-action` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 105871, "scanner": "repobility-supply-chain", "fingerprint": "ba23ff16bdb48d9e7e044414d92e5e26e4e2344c188a4d9d80e84e18dbf6ba88", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba23ff16bdb48d9e7e044414d92e5e26e4e2344c188a4d9d80e84e18dbf6ba88"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fuzzing.yml"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 105870, "scanner": "repobility-supply-chain", "fingerprint": "8f02447a9852742fe7c0972ba1ea7b622b1562568d14a85efe4505c0489e7ae5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8f02447a9852742fe7c0972ba1ea7b622b1562568d14a85efe4505c0489e7ae5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fuzzing.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 105869, "scanner": "repobility-supply-chain", "fingerprint": "8afbd5e6c6b71be8157ed1f255452080fefe5a0b05d6000d180e811e151c5561", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8afbd5e6c6b71be8157ed1f255452080fefe5a0b05d6000d180e811e151c5561"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fuzzing.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 105868, "scanner": "repobility-supply-chain", "fingerprint": "7919f16c24d1329bd12e38729e37596c01dba72797620c5ac52e44827a6f866d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7919f16c24d1329bd12e38729e37596c01dba72797620c5ac52e44827a6f866d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fuzzing.yml"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 105867, "scanner": "repobility-supply-chain", "fingerprint": "1f974e178cc1aa75b3f05059e222e55b18a80b4d329f02ac553533a69ffdd0ce", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1f974e178cc1aa75b3f05059e222e55b18a80b4d329f02ac553533a69ffdd0ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fuzzing.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `CodSpeedHQ/action` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 105866, "scanner": "repobility-supply-chain", "fingerprint": "bfb9377ff326525f4584939c92087943ecf1d29a12d981d3d614aa7f89807061", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfb9377ff326525f4584939c92087943ecf1d29a12d981d3d614aa7f89807061"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codspeed.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `moonrepo/setup-rust` pinned to mutable ref `@v0`"}, "properties": {"repobilityId": 105865, "scanner": "repobility-supply-chain", "fingerprint": "664ad20befe10d0c3c6e933877ee663d3079ac093d976888a2cdcd8a6692f2ac", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|664ad20befe10d0c3c6e933877ee663d3079ac093d976888a2cdcd8a6692f2ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codspeed.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 105864, "scanner": "repobility-supply-chain", "fingerprint": "015cc2f6b6003dbff9b7edbb33ca3dde361e1278583c799f0dd5ec5566df7b3c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|015cc2f6b6003dbff9b7edbb33ca3dde361e1278583c799f0dd5ec5566df7b3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codspeed.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `mozilla-actions/sccache-action` pinned to mutable ref `@v0.0.10`"}, "properties": {"repobilityId": 105863, "scanner": "repobility-supply-chain", "fingerprint": "362c878f2bdc90e68afaa922831f9e0da5f6cf244e3420023f62d635b2b44b9e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|362c878f2bdc90e68afaa922831f9e0da5f6cf244e3420023f62d635b2b44b9e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `Swatinem/rust-cache` pinned to mutable ref `@v2`"}, "properties": {"repobilityId": 105862, "scanner": "repobility-supply-chain", "fingerprint": "8739c28933271634c2e0de1c5b06c29dba07a54ad9d36ebb18d552c49a9e342f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8739c28933271634c2e0de1c5b06c29dba07a54ad9d36ebb18d552c49a9e342f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@master`"}, "properties": {"repobilityId": 105861, "scanner": "repobility-supply-chain", "fingerprint": "136bbd02ecb9fe2b3465de2e3d4aea41a700c0329df62ce273bf22d17954487e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|136bbd02ecb9fe2b3465de2e3d4aea41a700c0329df62ce273bf22d17954487e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yml"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 105860, "scanner": "repobility-supply-chain", "fingerprint": "92ea8f7193fdfc1fa6b64b48ba897ba1bbe927bd700e0462eed200cef91be5b1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|92ea8f7193fdfc1fa6b64b48ba897ba1bbe927bd700e0462eed200cef91be5b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 105859, "scanner": "repobility-supply-chain", "fingerprint": "35f465005317b70c26d445c89aff8afbb6aa2743e976be16478c160d74b6d99e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|35f465005317b70c26d445c89aff8afbb6aa2743e976be16478c160d74b6d99e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 105858, "scanner": "repobility-supply-chain", "fingerprint": "23a153495c51170dd6225232daeacaa6a84d6737a2e59f894b0850a07fc13bab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|23a153495c51170dd6225232daeacaa6a84d6737a2e59f894b0850a07fc13bab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/code-quality.yml"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `codecov/codecov-action` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 105856, "scanner": "repobility-supply-chain", "fingerprint": "f2b2e789bfc83967dd0c728090a787eacffd71ce75c827dba71aef2e23756f89", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2b2e789bfc83967dd0c728090a787eacffd71ce75c827dba71aef2e23756f89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@nightly`"}, "properties": {"repobilityId": 105855, "scanner": "repobility-supply-chain", "fingerprint": "2ffb9f2ff4fe99b73dca68c83fdaeebd81800ced40d6837b7151004f1d8e8814", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2ffb9f2ff4fe99b73dca68c83fdaeebd81800ced40d6837b7151004f1d8e8814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 105854, "scanner": "repobility-supply-chain", "fingerprint": "f8c49506598679d3342fc093f11766f880130f00fcfdf47cd78faee7345ae706", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f8c49506598679d3342fc093f11766f880130f00fcfdf47cd78faee7345ae706"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`"}, "properties": {"repobilityId": 105853, "scanner": "repobility-supply-chain", "fingerprint": "ee9a4c3bb4498afac2f3c17fef845d04fb36d65d74f17d8472128a0d225fa09c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee9a4c3bb4498afac2f3c17fef845d04fb36d65d74f17d8472128a0d225fa09c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 105852, "scanner": "repobility-supply-chain", "fingerprint": "50132cb16c793c49169bb7af9c0d8d0ccaca0f66d26c40a177b8b0254d2cada8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|50132cb16c793c49169bb7af9c0d8d0ccaca0f66d26c40a177b8b0254d2cada8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 105851, "scanner": "repobility-supply-chain", "fingerprint": "88c8bd3706cd1effa4ada955616db1a4f9f7f7131873161e8b5fd6697f91416d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88c8bd3706cd1effa4ada955616db1a4f9f7f7131873161e8b5fd6697f91416d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/GnuComment.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/github-script` pinned to mutable ref `@v7`"}, "properties": {"repobilityId": 105850, "scanner": "repobility-supply-chain", "fingerprint": "9c39ace83245a75f98152c1708b955a0f8424c3302643505b91f6f4814b13a3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9c39ace83245a75f98152c1708b955a0f8424c3302643505b91f6f4814b13a3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/GnuComment.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED131", "level": "error", "message": {"text": "pre-commit hook `https://github.com/pre-commit/pre-commit-hooks` pinned to mutable rev `v6.0.0`"}, "properties": {"repobilityId": 105849, "scanner": "repobility-supply-chain", "fingerprint": "0a1d0117b5ae7bcda5c43a01a1e89419e3cc2dcf0b49e02b03856dcead7aa7fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "precommit-untrusted-repo", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0a1d0117b5ae7bcda5c43a01a1e89419e3cc2dcf0b49e02b03856dcead7aa7fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".pre-commit-config.yaml"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger"}, "properties": {"repobilityId": 105857, "scanner": "repobility-supply-chain", "fingerprint": "df3892f27802dff1c2284946c157887416ca726d0a1ba666eebb9e0d4149771a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df3892f27802dff1c2284946c157887416ca726d0a1ba666eebb9e0d4149771a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci.yml"}, "region": {"startLine": 87}}}]}]}]}