{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "JRN003", "name": "Frontend API reference is not matched by discovered backend routes", "shortDescription": {"text": "Frontend API reference is not matched by discovered backend routes"}, "fullDescription": {"text": "Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore."}, "properties": {"scanner": "repobility-journey-contract", "category": "quality", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC009", "name": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function", "shortDescription": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /w"}, "fullDescription": {"text": "Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "AUC004", "name": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence ", "shortDescription": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /agent/stream/route."}, "fullDescription": {"text": "Define whether this endpoint is admin-only or super_admin-only, then enforce that distinction in code and .repobility/access.yml."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.66, "cwe": "", "owasp": ""}}, {"id": "AUC002", "name": "[AUC002] Low visible authorization coverage in route inventory: Only 8.3% of discovered routes show nearby authenticatio", "shortDescription": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 8.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "fullDescription": {"text": "Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `lobe` image has no explicit tag", "shortDescription": {"text": "Compose service `lobe` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `tempo` image uses the latest tag", "shortDescription": {"text": "Compose service `tempo` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Prefer a named volume or a host path outside the build context. If a repo-local path is required, add it to .dockerignore and .gitignore and verify backups separately."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "AGT016", "name": "Codex session log reader may expose prompts or tool-call content", "shortDescription": {"text": "Codex session log reader may expose prompts or tool-call content"}, "fullDescription": {"text": "Parse only usage metadata by default. Redact prompts, tool arguments, file paths, and message content before storage, telemetry, export, screenshots, or support bundles."}, "properties": {"scanner": "repobility-agent-runtime", "category": "quality", "severity": "medium", "confidence": 0.73, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 18 more): Same pattern found in 18 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED065", "name": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public re", "shortDescription": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-942,CWE-346 / A05:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 34 more): Same pattern found in 34 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 142 more): Same pattern found in 142 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 142 more): Same pattern found in 142 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 151 more): Same pattern found in 151 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 151 more): Same pattern found in 151 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 105 more): Same pattern found in 105 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 105 more): Same pattern found in 105 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 24 more): Same pattern found in 24 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 55 more): Same pattern found in 55 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 55 more): Same pattern found in 55 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `paradedb/paradedb:latest` unpinned: `container/services image: paradedb/pa", "shortDescription": {"text": "[MINED126] Workflow container/services image `paradedb/paradedb:latest` unpinned: `container/services image: paradedb/paradedb:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with "}, "fullDescription": {"text": "Replace with `paradedb/paradedb:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v6` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED122", "name": "[MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-", "shortDescription": {"text": "[MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or g"}, "fullDescription": {"text": "Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `busybox:latest` not pinned by digest: `FROM busybox:latest` resolves the tag at build time. ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `busybox:latest` not pinned by digest: `FROM busybox:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images "}, "fullDescription": {"text": "Replace with: `FROM busybox:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN004", "name": "Consent is collected in UI without visible backend audit persistence", "shortDescription": {"text": "Consent is collected in UI without visible backend audit persistence"}, "fullDescription": {"text": "Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "high", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC027", "name": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not config", "shortDescription": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "fullDescription": {"text": "Pass `noent: false` to libxmljs. Avoid xml2js or pass explicit secure config. Prefer parsers that don't expand external entities at all."}, "properties": {"scanner": "repobility-threat-engine", "category": "xxe", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC013", "name": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows ", "shortDescription": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "fullDescription": {"text": "Use os.path.realpath() and verify the path starts with your expected base directory. Use secure_filename() for uploads."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 0.8, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED027", "name": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated ", "shortDescription": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.DOCKER_REGISTRY_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.DOCKER_REGISTRY_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_REGISTRY_PASSWORD }` lets a PR from any fork"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED125", "name": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolat", "shortDescription": {"text": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "fullDescription": {"text": "Capture the field into an env var first; reference $ENV_VAR in shell."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "JRN001", "name": "Token handoff appears to use a callback URL or fragment", "shortDescription": {"text": "Token handoff appears to use a callback URL or fragment"}, "fullDescription": {"text": "Use a server-side one-time authorization code tied to a registered callback allowlist. Do not append access tokens to callback URLs or fragments."}, "properties": {"scanner": "repobility-journey-contract", "category": "auth", "severity": "critical", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "DKR005", "name": "Docker image bakes a secret-like ENV value", "shortDescription": {"text": "Docker image bakes a secret-like ENV value"}, "fullDescription": {"text": "Remove the secret from the Dockerfile, rotate the value if real, and inject runtime secrets through your platform secret manager."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scop", "shortDescription": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/809"}, "properties": {"repository": "lobehub/lobehub", "repoUrl": "https://github.com/lobehub/lobehub", "branch": "main"}, "results": [{"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 70253, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 70252, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70246, "scanner": "repobility-journey-contract", "fingerprint": "4d46ee206ecea726fba65377e2d829072cb9db9bdd8d79765cbda7cad7c7538d", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/vertex-ai", "correlation_key": "fp|4d46ee206ecea726fba65377e2d829072cb9db9bdd8d79765cbda7cad7c7538d", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/model-runtime/src/providers/zenmux/index.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70245, "scanner": "repobility-journey-contract", "fingerprint": "a49ee30931cf6c8e48e2481fc3738fca4338b454395a4b6949480fb14088b525", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/anthropic", "correlation_key": "fp|a49ee30931cf6c8e48e2481fc3738fca4338b454395a4b6949480fb14088b525", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/model-runtime/src/providers/zenmux/index.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70244, "scanner": "repobility-journey-contract", "fingerprint": "d6e53c8616a24493bef9c3c9373812679aee40a009bee973442cba12066c85d2", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/webhooks/memory-extraction/benchmark-locomo", "correlation_key": "fp|d6e53c8616a24493bef9c3c9373812679aee40a009bee973442cba12066c85d2", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/memory-user-memory/benchmarks/locomo/run.ts"}, "region": {"startLine": 79}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70243, "scanner": "repobility-journey-contract", "fingerprint": "50f527eb540b886069b9047e59b4c0cb6d7850478f436f9b0d649a84b4880a41", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/device/devices", "correlation_key": "fp|50f527eb540b886069b9047e59b4c0cb6d7850478f436f9b0d649a84b4880a41", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-gateway-client/src/types.ts"}, "region": {"startLine": 13}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70242, "scanner": "repobility-journey-contract", "fingerprint": "85317a0f0aef033fc1f0568f3e8dc4b6aae2a321f8d15ca11add9d23f47eb484", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/device/system-info", "correlation_key": "fp|85317a0f0aef033fc1f0568f3e8dc4b6aae2a321f8d15ca11add9d23f47eb484", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-gateway-client/src/http.ts"}, "region": {"startLine": 161}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70241, "scanner": "repobility-journey-contract", "fingerprint": "1ead53e487731e0b65902d37d81ac1b27cc762d6d4bd79ee59d21247e98d1ca9", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/device/agent/run", "correlation_key": "fp|1ead53e487731e0b65902d37d81ac1b27cc762d6d4bd79ee59d21247e98d1ca9", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-gateway-client/src/http.ts"}, "region": {"startLine": 149}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70240, "scanner": "repobility-journey-contract", "fingerprint": "753fa25fee73c3dba1d44cfa20d7535a492d377360ff05bb9894d1f4d2fc1665", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/device/message-api", "correlation_key": "fp|753fa25fee73c3dba1d44cfa20d7535a492d377360ff05bb9894d1f4d2fc1665", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-gateway-client/src/http.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70239, "scanner": "repobility-journey-contract", "fingerprint": "63bda6f9d1afeb0c8519e5a0f08c77a6c5f0536c8d554bc11fda5befd1e1eb6a", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/device/tool-call", "correlation_key": "fp|63bda6f9d1afeb0c8519e5a0f08c77a6c5f0536c8d554bc11fda5befd1e1eb6a", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-gateway-client/src/http.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70238, "scanner": "repobility-journey-contract", "fingerprint": "3b6970d3d854187534dfe9f8eed117e606d8aa5279a0222aeb660b40fdb41122", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/device/devices", "correlation_key": "fp|3b6970d3d854187534dfe9f8eed117e606d8aa5279a0222aeb660b40fdb41122", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-gateway-client/src/http.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70237, "scanner": "repobility-journey-contract", "fingerprint": "d5695d37174d724146530f43e304d267ffd7bfa37934e54148c39daf4c6917d6", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/device/status", "correlation_key": "fp|d5695d37174d724146530f43e304d267ffd7bfa37934e54148c39daf4c6917d6", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/device-gateway-client/src/http.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70236, "scanner": "repobility-journey-contract", "fingerprint": "033ca11f9420a54c94381cba90f9b82736a2451d70d6d325d7f609c23cc5e45e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/v1/users/me", "correlation_key": "fp|033ca11f9420a54c94381cba90f9b82736a2451d70d6d325d7f609c23cc5e45e", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/utils/agentStream.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70235, "scanner": "repobility-journey-contract", "fingerprint": "f94ffef0c131216673a5dfba01f873a349abd398c91c278aa6453b569197d3c4", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/agent/stream", "correlation_key": "fp|f94ffef0c131216673a5dfba01f873a349abd398c91c278aa6453b569197d3c4", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/probe-events.ts"}, "region": {"startLine": 263}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70234, "scanner": "repobility-journey-contract", "fingerprint": "ba9ec00b6a26ae89c6e3cb52c595b019878d41419f16086456835ef59a68ce9c", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/agent/stream", "correlation_key": "fp|ba9ec00b6a26ae89c6e3cb52c595b019878d41419f16086456835ef59a68ce9c", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/probe-events.ts"}, "region": {"startLine": 253}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70233, "scanner": "repobility-journey-contract", "fingerprint": "990d54d57dc61f128445e3b9eaec5ca2c84a22c0ff78a09c749afd4e6987b18e", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/agent/stream", "correlation_key": "fp|990d54d57dc61f128445e3b9eaec5ca2c84a22c0ff78a09c749afd4e6987b18e", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/probe-events.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "JRN003", "level": "warning", "message": {"text": "Frontend API reference is not matched by discovered backend routes"}, "properties": {"repobilityId": 70232, "scanner": "repobility-journey-contract", "fingerprint": "89c6a795ea24618208d48fc2f836d576ed70cd1b469cda6329198a0fa68b5121", "category": "quality", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Same-origin /api path appears in frontend code but no discovered backend endpoint has the same route shape.", "evidence": {"rule_id": "JRN003", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "route_shape": "/api/agent/stream", "correlation_key": "fp|89c6a795ea24618208d48fc2f836d576ed70cd1b469cda6329198a0fa68b5121", "backend_endpoint_count": 12}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/probe-events.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /workflows/agent-eval-run/on-trajectory-complete/route."}, "properties": {"repobilityId": 70230, "scanner": "repobility-access-control", "fingerprint": "b6825f1901b4f3e2f72f3a0a5479fd4344fcab547c3ba4d9555340f010782262", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/workflows/agent-eval-run/on-trajectory-complete/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend / token|23|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/api/workflows/agent-eval-run/on-trajectory-complete/route.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /dev/test-push/route."}, "properties": {"repobilityId": 70229, "scanner": "repobility-access-control", "fingerprint": "212a001b52e028395c2e7670c5a0aad96b565e97164f3290997a5e0961b5d514", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/dev/test-push/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend /api/dev/test-push/route.ts|18|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/api/dev/test-push/route.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /dev/agent-tracing/route."}, "properties": {"repobilityId": 70228, "scanner": "repobility-access-control", "fingerprint": "e7b8dcd2343d6fd7dec0342b0ac7af4265ff14493d0b035d8e80e1381fc06dac", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/dev/agent-tracing/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend / token|8|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/api/dev/agent-tracing/route.ts"}, "region": {"startLine": 8}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /auth/check-user/route."}, "properties": {"repobilityId": 70227, "scanner": "repobility-access-control", "fingerprint": "21a97c659fe690365af240c144eb4418ee980bc193b1cbce0583dba9f0c9f7c0", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/check-user/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend / token|19|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/api/auth/check-user/route.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /auth/resolve-username/route."}, "properties": {"repobilityId": 70226, "scanner": "repobility-access-control", "fingerprint": "004826332eaf9e4445e75c2a5d982d34ac061b6e60c760d5631d7ffe135b6d9e", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/auth/resolve-username/route", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend / token|18|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/api/auth/resolve-username/route.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /version/route."}, "properties": {"repobilityId": 70225, "scanner": "repobility-access-control", "fingerprint": "436395faab0ee969e6f5160fe3cba271c76876026485020777e9b4c920a65d24", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/version/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend /api/version/route.ts|9|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/api/version/route.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /(backend)/oidc/clear-session."}, "properties": {"repobilityId": 70224, "scanner": "repobility-access-control", "fingerprint": "209bd6ed66a67b40571858330d96feaccbf9d1a9c43d359b8bcf3c135828631a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(backend)/oidc/clear-session", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend /oidc/clear-session/route.ts|28|auc009", "identity_targets": ["authenticated"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/oidc/clear-session/route.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: POST /(backend)/oidc/consent."}, "properties": {"repobilityId": 70223, "scanner": "repobility-access-control", "fingerprint": "43fe8c56097398a0e94be8e0be5e76cd6cee0ad77895657444d45af2b879fad3", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(backend)/oidc/consent", "method": "POST", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend /oidc/consent/route.ts|11|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/oidc/consent/route.ts"}, "region": {"startLine": 11}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /(backend)/oidc/handoff."}, "properties": {"repobilityId": 70222, "scanner": "repobility-access-control", "fingerprint": "9da9013eeaa5e11ef663ff3c42d29e9dd3471718e9fb24c77be1c35b7f8cd62a", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/(backend)/oidc/handoff", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend /oidc/handoff/route.ts|14|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/oidc/handoff/route.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "AUC009", "level": "warning", "message": {"text": "[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /spa/:variants/::...path."}, "properties": {"repobilityId": 70221, "scanner": "repobility-access-control", "fingerprint": "f1c28844419730feee65661990a8f84f5a0b363008b0f4bb8479c7ae7781571b", "category": "auth", "severity": "medium", "confidence": 0.68, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/spa/:variants/::...path", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/spa/ variants / ...path /route.ts|201|auc009", "identity_targets": ["unknown"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/spa/[variants]/[[...path]]/route.ts"}, "region": {"startLine": 201}}}]}, {"ruleId": "AUC004", "level": "warning", "message": {"text": "[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: GET /agent/stream/route."}, "properties": {"repobilityId": 70220, "scanner": "repobility-access-control", "fingerprint": "9a27f8ba5b75019897eb417e498d1a3c058c63f927a23e9776635c718894771a", "category": "auth", "severity": "medium", "confidence": 0.66, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"path": "/agent/stream/route", "method": "GET", "scanner": "repobility-access-control", "framework": "Next.js", "correlation_key": "code|auth|src/app/ backend /api/agent/stream/route.ts|15|auc004", "identity_targets": ["unknown", "admin"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/(backend)/api/agent/stream/route.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AUC002", "level": "warning", "message": {"text": "[AUC002] Low visible authorization coverage in route inventory: Only 8.3% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence."}, "properties": {"repobilityId": 70219, "scanner": "repobility-access-control", "fingerprint": "8b94fdb6c34925b404e0e9f550d60e919026a365e93d137247426fae2e7c9fd2", "category": "auth", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "endpoint_count": 12, "correlation_key": "fp|8b94fdb6c34925b404e0e9f550d60e919026a365e93d137247426fae2e7c9fd2", "auth_visible_percent": 8.3}}}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 70218, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `lobe` image has no explicit tag"}, "properties": {"repobilityId": 70216, "scanner": "repobility-docker", "fingerprint": "163eff788a3db17dc2021af83853262be65737e7dd23b9530a2385244a8f6388", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "lobehub/lobehub", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|163eff788a3db17dc2021af83853262be65737e7dd23b9530a2385244a8f6388"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `otel-collector` image has no explicit tag"}, "properties": {"repobilityId": 70215, "scanner": "repobility-docker", "fingerprint": "2399bc25c0e022f9b39dc25f5081cc58c82b3af63d86be5735204b5c32b4799a", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "otel/opentelemetry-collector", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|2399bc25c0e022f9b39dc25f5081cc58c82b3af63d86be5735204b5c32b4799a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 137}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `prometheus` image has no explicit tag"}, "properties": {"repobilityId": 70214, "scanner": "repobility-docker", "fingerprint": "a03c6f3c2b7bb2b3f1688d3fef23b951762b5f89b24dae2ee4c4228c15be171e", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "prom/prometheus", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a03c6f3c2b7bb2b3f1688d3fef23b951762b5f89b24dae2ee4c4228c15be171e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `tempo` image uses the latest tag"}, "properties": {"repobilityId": 70213, "scanner": "repobility-docker", "fingerprint": "c983a1ba6b517f05f40cd90ce2906bb353f3abf94154c35bca250a22823f8eef", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "grafana/tempo:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c983a1ba6b517f05f40cd90ce2906bb353f3abf94154c35bca250a22823f8eef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 113}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `searxng` image has no explicit tag"}, "properties": {"repobilityId": 70212, "scanner": "repobility-docker", "fingerprint": "59d827ea7c7f91198f6dac5bc0c9c3057ff042e54f41c8a01f4b74e5a6a44c42", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "searxng/searxng", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|59d827ea7c7f91198f6dac5bc0c9c3057ff042e54f41c8a01f4b74e5a6a44c42"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 70210, "scanner": "repobility-docker", "fingerprint": "5917823b4c59ce7ac4991fa5ec24fbc1a1b818b7720b755c3a0b44eaf2fc97f1", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|5917823b4c59ce7ac4991fa5ec24fbc1a1b818b7720b755c3a0b44eaf2fc97f1", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 70209, "scanner": "repobility-docker", "fingerprint": "963cc83b2a3a3c81d80799329dbee36da096ba8efae74c5056887a3bbd3d3bde", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./data", "target": "/var/lib/postgresql/data", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|963cc83b2a3a3c81d80799329dbee36da096ba8efae74c5056887a3bbd3d3bde"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `network-service` image has no explicit tag"}, "properties": {"repobilityId": 70205, "scanner": "repobility-docker", "fingerprint": "9e9027772c39e884f7d12cce7ad23b24c09432598a60e95c867adf58144ca6f5", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9e9027772c39e884f7d12cce7ad23b24c09432598a60e95c867adf58144ca6f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `searxng` image has no explicit tag"}, "properties": {"repobilityId": 70202, "scanner": "repobility-docker", "fingerprint": "039e3b658127a7aada053a3c765433d043a754e9cb4b56134f48f7cc43cc2e79", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "searxng/searxng", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|039e3b658127a7aada053a3c765433d043a754e9cb4b56134f48f7cc43cc2e79"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 70200, "scanner": "repobility-docker", "fingerprint": "84e0aca377244ce0847d1dab8a9ae726631d5d162f7c233c7344afae443e6893", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "rustfs-init", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|84e0aca377244ce0847d1dab8a9ae726631d5d162f7c233c7344afae443e6893", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `rustfs-init` image uses the latest tag"}, "properties": {"repobilityId": 70199, "scanner": "repobility-docker", "fingerprint": "b99488f6715896418ab50c1e56ca8e32793da1195a6817eadc62d79870da3e59", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "minio/mc:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b99488f6715896418ab50c1e56ca8e32793da1195a6817eadc62d79870da3e59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `rustfs` image uses the latest tag"}, "properties": {"repobilityId": 70198, "scanner": "repobility-docker", "fingerprint": "c1f2853717686cae4f08073fb26cda47772def2e02f1d873caae2a8727f80266", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "rustfs/rustfs:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|c1f2853717686cae4f08073fb26cda47772def2e02f1d873caae2a8727f80266"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 70196, "scanner": "repobility-docker", "fingerprint": "adac702a1002744c6d6be08405ac5ac96d417b414839b783cddfd309fb145a24", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./data", "target": "/var/lib/postgresql/data", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|adac702a1002744c6d6be08405ac5ac96d417b414839b783cddfd309fb145a24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `network-service` image has no explicit tag"}, "properties": {"repobilityId": 70192, "scanner": "repobility-docker", "fingerprint": "b76f45448b892f9b73ef940e4527c434e880e4c0811b774ed92174c526488e86", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "alpine", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b76f45448b892f9b73ef940e4527c434e880e4c0811b774ed92174c526488e86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `searxng` image has no explicit tag"}, "properties": {"repobilityId": 70191, "scanner": "repobility-docker", "fingerprint": "66bd9dcf4b489cf3118b1240cf43986ffd60acf8bfb4c03b814a197a299aeee8", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "searxng/searxng", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|66bd9dcf4b489cf3118b1240cf43986ffd60acf8bfb4c03b814a197a299aeee8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 70189, "scanner": "repobility-docker", "fingerprint": "77584e516927b7f0df58eae006903dafe9c790c657ffac9acf77e086f34eb159", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "rustfs-init", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|77584e516927b7f0df58eae006903dafe9c790c657ffac9acf77e086f34eb159", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `rustfs-init` image uses the latest tag"}, "properties": {"repobilityId": 70188, "scanner": "repobility-docker", "fingerprint": "51c0629fed03a806f1e87691df48bbf0536c11f9485e6a433d13ff79a0ac04f1", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "minio/mc:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|51c0629fed03a806f1e87691df48bbf0536c11f9485e6a433d13ff79a0ac04f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `rustfs` image uses the latest tag"}, "properties": {"repobilityId": 70185, "scanner": "repobility-docker", "fingerprint": "0356d9d24e7a1fcbb6b8ade7e419a48e25d778cab5f5e92711a4f4f0c1bfa059", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "rustfs/rustfs:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|0356d9d24e7a1fcbb6b8ade7e419a48e25d778cab5f5e92711a4f4f0c1bfa059"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 70183, "scanner": "repobility-docker", "fingerprint": "7a04cc16ea161a41a63e2a9814c44cda604d5fee7b698234af8b5a969ff3d5c4", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./data", "target": "/var/lib/postgresql/data", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|7a04cc16ea161a41a63e2a9814c44cda604d5fee7b698234af8b5a969ff3d5c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `lobe` image has no explicit tag"}, "properties": {"repobilityId": 70178, "scanner": "repobility-docker", "fingerprint": "d97097102f4e46190c4db38af621e54ae46edb3e00f34ce5ccc620a823eaacad", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "lobehub/lobehub", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d97097102f4e46190c4db38af621e54ae46edb3e00f34ce5ccc620a823eaacad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Dockerfile base image uses the latest tag"}, "properties": {"repobilityId": 70176, "scanner": "repobility-docker", "fingerprint": "590f9be1f3cb5573f918a59d4c4de98851e44d036102511df0cd1d7ada26c285", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "busybox:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|590f9be1f3cb5573f918a59d4c4de98851e44d036102511df0cd1d7ada26c285"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 105}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 70175, "scanner": "repobility-docker", "fingerprint": "aa3f73b2ecf9e0cc7c8c24e856f5741345889284d6278c5ea7c876d395409f3d", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aa3f73b2ecf9e0cc7c8c24e856f5741345889284d6278c5ea7c876d395409f3d", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 95}}}]}, {"ruleId": "AGT016", "level": "warning", "message": {"text": "Codex session log reader may expose prompts or tool-call content"}, "properties": {"repobilityId": 70171, "scanner": "repobility-agent-runtime", "fingerprint": "f9efbbe4916de98660ebe8c68740d775a35d5e3848a5db6d6c8031a87abe62ff", "category": "quality", "severity": "medium", "confidence": 0.73, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "File reads Codex session JSONL or usage logs and references prompt/message/tool content without visible redaction controls.", "evidence": {"rule_id": "AGT016", "scanner": "repobility-agent-runtime", "references": [], "correlation_key": "fp|f9efbbe4916de98660ebe8c68740d775a35d5e3848a5db6d6c8031a87abe62ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/hetero.ts"}, "region": {"startLine": 64}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 70142, "scanner": "repobility-threat-engine", "fingerprint": "3506ecb08a91da6620edf161775780f88020e9c3f1b971ebeb8c1c8fde898794", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(pluginState.downloadUrl, '_blank')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|50|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-cloud-sandbox/src/client/Render/ExportFile/index.tsx"}, "region": {"startLine": 50}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 70128, "scanner": "repobility-threat-engine", "fingerprint": "80d62cb506b72de234a7e9382a54d5b61695bde2fd6ddf13c3dce6ed068a7269", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|80d62cb506b72de234a7e9382a54d5b61695bde2fd6ddf13c3dce6ed068a7269"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/heterogeneous-agents/src/askUser/AskUserBridge.ts"}, "region": {"startLine": 163}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 70127, "scanner": "repobility-threat-engine", "fingerprint": "58347372e1c76b7d1c4e399770a11d14cf57bb70d0b9fc4fea2d092ae23a270c", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|58347372e1c76b7d1c4e399770a11d14cf57bb70d0b9fc4fea2d092ae23a270c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/modules/cliEmbedding/generateCliWrapper.ts"}, "region": {"startLine": 82}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 70117, "scanner": "repobility-threat-engine", "fingerprint": "d8ab704bb77d7ce562d7350afab5a83b89f49d837c0aee6e67a1f5a43fc5751b", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|15|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/utils/git.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 70116, "scanner": "repobility-threat-engine", "fingerprint": "dacb0ab354f844720a1dd0e3176701a5dd2011f8e5ca5cb1e66eefc0ba3bc79c", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|116|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/core/infrastructure/RendererProtocolManager.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 70115, "scanner": "repobility-threat-engine", "fingerprint": "c8ed389d149a2014522bac3ef509af1f2990bcd6b47291ffcf4ee9a46df553e3", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|28|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/controllers/ShellCommandCtr.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 70075, "scanner": "repobility-threat-engine", "fingerprint": "0b00d0d9667b6c2f3b43f8b7ea33c3288778b9b33fe9dd79e70a628256da8726", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (4.4 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password=\"<redacted>\nbody={\"", "reason": "Low entropy value (4.4 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|. token|3|password redacted body"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/bot/imessage/send-imessage-test.sh"}, "region": {"startLine": 39}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 70251, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 70250, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 70249, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 70248, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 70211, "scanner": "repobility-docker", "fingerprint": "da6ca8b58c3df34be5b1a77abc7adc8a179dbbcdc3d446a0e5d762b5dfa6ef82", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "minio", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|da6ca8b58c3df34be5b1a77abc7adc8a179dbbcdc3d446a0e5d762b5dfa6ef82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70208, "scanner": "repobility-docker", "fingerprint": "3b302a2cd03d92791f93f47d27990d968cf6843cd4c41f47a3032a5cf6915844", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3b302a2cd03d92791f93f47d27990d968cf6843cd4c41f47a3032a5cf6915844"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 18}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 70207, "scanner": "repobility-docker", "fingerprint": "a75a5d2814b96b13566a8d66b912f8aae8b1967c45995b909a76a26ff0b6450d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "network-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a75a5d2814b96b13566a8d66b912f8aae8b1967c45995b909a76a26ff0b6450d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70206, "scanner": "repobility-docker", "fingerprint": "e1dfe9de899b6d4b996044fc01c6baff20886459736cd76a47cb2add2c410490", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "network-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e1dfe9de899b6d4b996044fc01c6baff20886459736cd76a47cb2add2c410490"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 70204, "scanner": "repobility-docker", "fingerprint": "84af78171bae52287a645bedb33ff4818cf10fa075afabc1b4b4e38595e8baa7", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "searxng", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|84af78171bae52287a645bedb33ff4818cf10fa075afabc1b4b4e38595e8baa7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70203, "scanner": "repobility-docker", "fingerprint": "66436d5435059d0f423019c5ab85dd399493f5da23e1ff50744d9b5908441530", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "searxng", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|66436d5435059d0f423019c5ab85dd399493f5da23e1ff50744d9b5908441530"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 98}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 70201, "scanner": "repobility-docker", "fingerprint": "dae7703f96c635c06396ec38f7b8f8c75e5bef32ff4b11d43ac5855255a65946", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "rustfs-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|dae7703f96c635c06396ec38f7b8f8c75e5bef32ff4b11d43ac5855255a65946"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70195, "scanner": "repobility-docker", "fingerprint": "86ae4234d4588ff725f740d4caf4ab46e7bf62c864e9f8151e5cf43133acd1af", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|86ae4234d4588ff725f740d4caf4ab46e7bf62c864e9f8151e5cf43133acd1af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 70194, "scanner": "repobility-docker", "fingerprint": "2b7e605e48d42927880a9a00210d390103ee93be17e13504233f01720eab6463", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "network-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2b7e605e48d42927880a9a00210d390103ee93be17e13504233f01720eab6463"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70193, "scanner": "repobility-docker", "fingerprint": "3c49cdce3c1657b7fcca2dd5dbb76f32cc66a106e32d0deb7abc97b2169a8a2b", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "network-service", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3c49cdce3c1657b7fcca2dd5dbb76f32cc66a106e32d0deb7abc97b2169a8a2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 70190, "scanner": "repobility-docker", "fingerprint": "85ae0bd71a0bdd813f37ad9f7fc746f43c1eafafae016ac283a2d710e5ae9d9c", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "rustfs-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|85ae0bd71a0bdd813f37ad9f7fc746f43c1eafafae016ac283a2d710e5ae9d9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 70187, "scanner": "repobility-docker", "fingerprint": "837de03dfc7ecf90cf4ca2e12feffdeb194756b8e27c0da862cc082dd69013f7", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "rustfs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|837de03dfc7ecf90cf4ca2e12feffdeb194756b8e27c0da862cc082dd69013f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70186, "scanner": "repobility-docker", "fingerprint": "10fd6ce1d9aa093e61d3658993c64ba4ff677296e6099d90d207e8a53d19a794", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "rustfs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|10fd6ce1d9aa093e61d3658993c64ba4ff677296e6099d90d207e8a53d19a794"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70182, "scanner": "repobility-docker", "fingerprint": "3d39cfc29df30cc22a39195effe8e865ccca91e450199bf8a372323d61765a20", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "postgresql", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3d39cfc29df30cc22a39195effe8e865ccca91e450199bf8a372323d61765a20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 70181, "scanner": "repobility-docker", "fingerprint": "fad40ff50dba843766ea0941d92b35331473510e06aaa8f90b195decf3750728", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "lobe", "dependency": "rustfs-init", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|fad40ff50dba843766ea0941d92b35331473510e06aaa8f90b195decf3750728", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 70180, "scanner": "repobility-docker", "fingerprint": "b17c1cf0ed530ac9324acda0c2855b09597912fb8287a3d15daf43fc38319bfe", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "lobe", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b17c1cf0ed530ac9324acda0c2855b09597912fb8287a3d15daf43fc38319bfe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 70179, "scanner": "repobility-docker", "fingerprint": "3f74c45d1ad9778c801dce4effaa8587d2fc8e6a8711cf19b3b2da0559a623e5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "lobe", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3f74c45d1ad9778c801dce4effaa8587d2fc8e6a8711cf19b3b2da0559a623e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 70177, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 70173, "scanner": "repobility-docker", "fingerprint": "274ced2c7c6667c1f3933d4b22e1b9340d7d0d44427423f632765d4878598682", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|274ced2c7c6667c1f3933d4b22e1b9340d7d0d44427423f632765d4878598682"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70170, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb05caff42168c57b9db1c28c55a9ea1721c7b838ff3ee86767b6d2962659185", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/builtin-tool-agent-management/src/client/Inspector/CallAgent/index.tsx", "duplicate_line": 12, "correlation_key": "fp|eb05caff42168c57b9db1c28c55a9ea1721c7b838ff3ee86767b6d2962659185"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-agent-management/src/client/Inspector/UpdateAgent/index.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70169, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5969f957ca7033a5dbfc6c0039c561b768d5056ea0037e500308ad2871c6df4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/builtin-tool-agent-management/src/client/Inspector/CallAgent/index.tsx", "duplicate_line": 12, "correlation_key": "fp|a5969f957ca7033a5dbfc6c0039c561b768d5056ea0037e500308ad2871c6df4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-agent-management/src/client/Inspector/SearchAgent/index.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70168, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ddfeaf183eaed5942dc5429d502079fe8261e52abd4e4710c6f74fd9e799e1a6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/builtin-tool-agent-management/src/client/Inspector/CallAgent/index.tsx", "duplicate_line": 12, "correlation_key": "fp|ddfeaf183eaed5942dc5429d502079fe8261e52abd4e4710c6f74fd9e799e1a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-agent-management/src/client/Inspector/InstallPlugin/index.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70167, "scanner": "repobility-ai-code-hygiene", "fingerprint": "05d4ca47354017b69271f35125748d8a56bed46ff569d8e16b1c680817644195", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/builtin-tool-agent-management/src/client/Inspector/CallAgent/index.tsx", "duplicate_line": 12, "correlation_key": "fp|05d4ca47354017b69271f35125748d8a56bed46ff569d8e16b1c680817644195"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-agent-management/src/client/Inspector/GetAgentDetail/index.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70166, "scanner": "repobility-ai-code-hygiene", "fingerprint": "763a2a78a5667cf8289d683020bbed1cd7e820a020b357b3581a0a8a2c9378df", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/builtin-tool-agent-management/src/client/Inspector/CallAgent/index.tsx", "duplicate_line": 12, "correlation_key": "fp|763a2a78a5667cf8289d683020bbed1cd7e820a020b357b3581a0a8a2c9378df"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-agent-management/src/client/Inspector/DuplicateAgent/index.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70165, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4afa3400098f462f94a6ac885a02c3884274bb8e81641dc10870f639d874c964", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/builtin-tool-agent-management/src/client/Inspector/CallAgent/index.tsx", "duplicate_line": 12, "correlation_key": "fp|4afa3400098f462f94a6ac885a02c3884274bb8e81641dc10870f639d874c964"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-agent-management/src/client/Inspector/CreateAgent/index.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70164, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a0b19ee52306b14eda27caf90aee0b9602ac18d22b8b13811f6ad129b00335e2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/builtin-tool-agent-documents/src/client/Render/CreateDocument/DocumentCard.tsx", "duplicate_line": 29, "correlation_key": "fp|a0b19ee52306b14eda27caf90aee0b9602ac18d22b8b13811f6ad129b00335e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-agent-documents/src/client/Streaming/CreateDocument/index.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70163, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d9c2ee2bae8987cb994a6911b237fdf5fb421c6be1ec9f5fdeef2f67f3e7ca7a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent-manager-runtime/src/types.ts", "duplicate_line": 78, "correlation_key": "fp|d9c2ee2bae8987cb994a6911b237fdf5fb421c6be1ec9f5fdeef2f67f3e7ca7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-agent-builder/src/types.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70162, "scanner": "repobility-ai-code-hygiene", "fingerprint": "10f6f4966f3aa27c8ba2d6f9811604cbcac39c18d5517f713ced60f397b7aabd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent-runtime/src/core/runtime.ts", "duplicate_line": 240, "correlation_key": "fp|10f6f4966f3aa27c8ba2d6f9811604cbcac39c18d5517f713ced60f397b7aabd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent-runtime/src/groupOrchestration/GroupOrchestrationRuntime.ts"}, "region": {"startLine": 111}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70161, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f41eda71397c98132ac024bd0e3216804de6108970c93124ff8981fa6c9616d5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "packages/agent-runtime/src/core/UsageCounter.ts", "duplicate_line": 31, "correlation_key": "fp|f41eda71397c98132ac024bd0e3216804de6108970c93124ff8981fa6c9616d5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent-runtime/src/core/runtime.ts"}, "region": {"startLine": 262}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70160, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2b9a98c942731f97804e5ea49e51b67c7801d68b882891197a13b181b5729c00", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e/src/steps/page/editor-meta.steps.ts", "duplicate_line": 9, "correlation_key": "fp|2b9a98c942731f97804e5ea49e51b67c7801d68b882891197a13b181b5729c00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/src/steps/page/page-crud.steps.ts"}, "region": {"startLine": 70}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70159, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e1a01016896de76394cc8c73757b520dd501462103b93f19a0b122d1691c360", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "e2e/src/steps/home/sidebarAgent.steps.ts", "duplicate_line": 79, "correlation_key": "fp|4e1a01016896de76394cc8c73757b520dd501462103b93f19a0b122d1691c360"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "e2e/src/steps/home/sidebarGroup.steps.ts"}, "region": {"startLine": 50}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70158, "scanner": "repobility-ai-code-hygiene", "fingerprint": "eb9f721e28a6a2d271c7f0caed377121c14c599fc43978651b92ee4fbc02ebc0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/main/controllers/McpInstallCtr.ts", "duplicate_line": 6, "correlation_key": "fp|eb9f721e28a6a2d271c7f0caed377121c14c599fc43978651b92ee4fbc02ebc0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/utils/protocol.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70157, "scanner": "repobility-ai-code-hygiene", "fingerprint": "77aa6df1ce76d6aa7031c066f851fd5b33d2b10c1902d68bef747ff54b5a4323", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/main/menus/impls/macOS.ts", "duplicate_line": 145, "correlation_key": "fp|77aa6df1ce76d6aa7031c066f851fd5b33d2b10c1902d68bef747ff54b5a4323"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/menus/impls/windows.ts"}, "region": {"startLine": 178}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70156, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ce6b18c8d3214deb57e43e15243369dce8299383f5ac0fa7ad7678c124231615", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/main/menus/impls/linux.ts", "duplicate_line": 9, "correlation_key": "fp|ce6b18c8d3214deb57e43e15243369dce8299383f5ac0fa7ad7678c124231615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/menus/impls/windows.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70155, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1e2155f839dc8c93006d0dfaaf943682ec222b71535c0914e9e79ab062cf7548", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/desktop/src/main/menus/impls/linux.ts", "duplicate_line": 15, "correlation_key": "fp|1e2155f839dc8c93006d0dfaaf943682ec222b71535c0914e9e79ab062cf7548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/menus/impls/macOS.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70154, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b07f8e2396a7fe5c2a92b82f8d4cdcb49a2509358c395b337c0f822d7fe2f11c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/cli/src/tools/heteroTask.ts", "duplicate_line": 90, "correlation_key": "fp|b07f8e2396a7fe5c2a92b82f8d4cdcb49a2509358c395b337c0f822d7fe2f11c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/controllers/GatewayConnectionCtr.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70153, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c2c06632a04b8e228aa2509687dfdcc4504885039a904bfde27e90c600871f95", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": ".i18nrc.js", "duplicate_line": 13, "correlation_key": "fp|c2c06632a04b8e228aa2509687dfdcc4504885039a904bfde27e90c600871f95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/.i18nrc.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70152, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a5e8ef72dc21cf0819efd4025110b9e930cf04fe5bb3d0e13fffd8b318af269c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/cli/src/commands/task/index.ts", "duplicate_line": 194, "correlation_key": "fp|a5e8ef72dc21cf0819efd4025110b9e930cf04fe5bb3d0e13fffd8b318af269c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/task/topic.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 70151, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a7a7e204dc6b2acd02ec8c3a0e534284ff721c544f6bba56ed9c7dd2d8eb7aa3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "apps/cli/src/commands/connect.ts", "duplicate_line": 149, "correlation_key": "fp|a7a7e204dc6b2acd02ec8c3a0e534284ff721c544f6bba56ed9c7dd2d8eb7aa3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/status.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 70150, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": ["AGENTS.md", "CLAUDE.md", "GEMINI.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ff6e1d5f8944c42e18d355d72dd1be436aa8bed440cc2a7bce2c8a8fb4706ed6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "AGENTS.md"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 70095, "scanner": "repobility-threat-engine", "fingerprint": "f2e90b8aae2e47993d812d4dd79bca6f49da8d608d59feebae17345e5c840639", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'SWITCH_LOOP_CONFIG:back=' + BACK_KEY + ',away='", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2e90b8aae2e47993d812d4dd79bca6f49da8d608d59feebae17345e5c840639"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/tab-switch.js"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 70094, "scanner": "repobility-threat-engine", "fingerprint": "e4a8de7bc01ad705da4a73f2d4b1a952029c94e9644bd712de0afb243b9bcb0e", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'clicked i=' + i + ' key='", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e4a8de7bc01ad705da4a73f2d4b1a952029c94e9644bd712de0afb243b9bcb0e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/probe.js"}, "region": {"startLine": 185}}}]}, {"ruleId": "DKR002", "level": "none", "message": {"text": "Dockerfile base image is selected through a build variable"}, "properties": {"repobilityId": 70172, "scanner": "repobility-docker", "fingerprint": "35e239765fad884842f68ec596dc00e5434eb965e4dae5234c5139cc67ffa1a9", "category": "docker", "severity": "info", "confidence": 0.48, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Base image contains a variable; manual review is needed to avoid false positives.", "evidence": {"image": "node:${NODEJS_VERSION}-slim", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/"], "correlation_key": "fp|35e239765fad884842f68ec596dc00e5434eb965e4dae5234c5139cc67ffa1a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 70141, "scanner": "repobility-threat-engine", "fingerprint": "6faababe47c10eb2d2e90656cb5b77d5d842a1ecb758e761f309546c06fe3100", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6faababe47c10eb2d2e90656cb5b77d5d842a1ecb758e761f309546c06fe3100", "aggregated_count": 18}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 70140, "scanner": "repobility-threat-engine", "fingerprint": "f886d296dc10a4660f0a2921aa95a921388cfa91308139a0e9ca2322687bc3c1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f886d296dc10a4660f0a2921aa95a921388cfa91308139a0e9ca2322687bc3c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-cloud-sandbox/src/client/Intervention/MoveLocalFiles/index.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 70139, "scanner": "repobility-threat-engine", "fingerprint": "29dc677e09c853ca3e2f794ae5af0248c28fe8bdfae2c360dbdbb7cda406e635", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|29dc677e09c853ca3e2f794ae5af0248c28fe8bdfae2c360dbdbb7cda406e635"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-claude-code/src/client/Render/TodoWrite/index.tsx"}, "region": {"startLine": 185}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 70138, "scanner": "repobility-threat-engine", "fingerprint": "3b5c4f9cfbc8d418fe2c8bf643f0af35a2586aec88db59fcdfb310b2c6dc2241", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3b5c4f9cfbc8d418fe2c8bf643f0af35a2586aec88db59fcdfb310b2c6dc2241"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-claude-code/src/client/Render/Task/index.tsx"}, "region": {"startLine": 290}}}]}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 70137, "scanner": "repobility-threat-engine", "fingerprint": "ce130c25f591548c1a9648915d4ecbc5c675f91c8cb56b9f5fce3bfbf5b0aed6", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|44|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent-signal/src/base/builders.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 70136, "scanner": "repobility-threat-engine", "fingerprint": "90a983ae2327fe2ddf05ecbedee38b4a196180482606a0fdef5e49cba72fabad", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|90a983ae2327fe2ddf05ecbedee38b4a196180482606a0fdef5e49cba72fabad"}}}, {"ruleId": "MINED065", "level": "none", "message": {"text": "[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints."}, "properties": {"repobilityId": 70129, "scanner": "repobility-threat-engine", "fingerprint": "0799d4982333e9e54d49d67264d72827d6af84c60975605f9718b56c62b39179", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "cors-wildcard", "owasp": "A05:2021", "cwe_ids": ["CWE-942", "CWE-346"], "languages": ["python", "javascript", "typescript", "yaml", "json"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348052+00:00", "triaged_in_corpus": 12, "observations_count": 63910, "ai_coder_pattern_id": 46}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0799d4982333e9e54d49d67264d72827d6af84c60975605f9718b56c62b39179"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 45}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 18 more): Same pattern found in 18 additional files. Review if needed."}, "properties": {"repobilityId": 70126, "scanner": "repobility-threat-engine", "fingerprint": "b98826a496e2c244206dacb96a98f930d8c279872e9506ee2677167c314ee386", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 18 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|b98826a496e2c244206dacb96a98f930d8c279872e9506ee2677167c314ee386"}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 70122, "scanner": "repobility-threat-engine", "fingerprint": "f79b4c6ce4eb0d7d776ad2633f739e1a0f46e1ad817ef3a9572abdaf1937f71a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f79b4c6ce4eb0d7d776ad2633f739e1a0f46e1ad817ef3a9572abdaf1937f71a"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 70118, "scanner": "repobility-threat-engine", "fingerprint": "c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c80ff157c0dd4f06d29a253eef2e040bc846fc539581945c90fe13c6ec14dd22"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 70112, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 70111, "scanner": "repobility-threat-engine", "fingerprint": "81309882292a627cfb28fecdb446c2e1f1e5a0330304da0a69bf56b353efec0b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|81309882292a627cfb28fecdb446c2e1f1e5a0330304da0a69bf56b353efec0b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 70110, "scanner": "repobility-threat-engine", "fingerprint": "9d77262f6827495b056e1b0475d6df433256cf1e00f967f2f595fcc5ee1da010", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9d77262f6827495b056e1b0475d6df433256cf1e00f967f2f595fcc5ee1da010"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/skill.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 70109, "scanner": "repobility-threat-engine", "fingerprint": "f32e6d27effff84cbe972f623536fd5117cd13e84a83f13c571a6e9fdd01636b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f32e6d27effff84cbe972f623536fd5117cd13e84a83f13c571a6e9fdd01636b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/search.ts"}, "region": {"startLine": 97}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 70108, "scanner": "repobility-threat-engine", "fingerprint": "c1ea769a74e4a77fe2e0ec67acba985c88b1dbecd6304fcc26f091d4d19ea324", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|c1ea769a74e4a77fe2e0ec67acba985c88b1dbecd6304fcc26f091d4d19ea324", "aggregated_count": 34}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 70107, "scanner": "repobility-threat-engine", "fingerprint": "3e6e562cb0c12da41ab46c664b2c254a93e9c21d7dc397d7a694d5a72690e863", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3e6e562cb0c12da41ab46c664b2c254a93e9c21d7dc397d7a694d5a72690e863"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/provider.ts"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 70106, "scanner": "repobility-threat-engine", "fingerprint": "c7165c0d1061cb1e236f246c33a3e1a39d45e9348f983418de73b7868ee76fac", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c7165c0d1061cb1e236f246c33a3e1a39d45e9348f983418de73b7868ee76fac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/botMessengers.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 70105, "scanner": "repobility-threat-engine", "fingerprint": "7185ffc3f3b99913f7d52cd1c89b932c372e0e38366aadcfc26e9e297d78df7e", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7185ffc3f3b99913f7d52cd1c89b932c372e0e38366aadcfc26e9e297d78df7e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/api/http.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 70104, "scanner": "repobility-threat-engine", "fingerprint": "2eea17c3958d8d59b74ef7a930fd1bd50c4ff30d4ebe6be4d52c6f565e9b1195", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2eea17c3958d8d59b74ef7a930fd1bd50c4ff30d4ebe6be4d52c6f565e9b1195"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/auto-close-duplicates.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 70103, "scanner": "repobility-threat-engine", "fingerprint": "d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1", "category": "credential_exposure", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|d438fc2d14c63660d615290dceab2a5421ef5f4c5a8a429a3564895c539fbbc1"}}}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 70102, "scanner": "repobility-threat-engine", "fingerprint": "4cdb49f4590425d8bb94b1baf751839f7477401a71620130c9a4b2898dc5c59c", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.info(`[electron-vite.config.ts] Detected UPDATE_CHANNEL: ${updateChannel}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|10|console.info electron-vite.config.ts detected update_channel: updatechannel"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/electron.vite.config.ts"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 70101, "scanner": "repobility-threat-engine", "fingerprint": "873910b790be8a73d590e01a6cb08833233b27dcf0e927affa1fbd3dbc0b3ba4", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.log(`  Check Model: ${config.checkModel}`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|19|console.log check model: config.checkmodel"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/provider.ts"}, "region": {"startLine": 199}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 70100, "scanner": "repobility-threat-engine", "fingerprint": "bbad381b94a636f9228dacd143eec70bec1d40c989490acaf0baab32074bbdc7", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log('[DEBUG] GitHub token found')", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|. token|9|console.log debug github token found"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/auto-close-duplicates.ts"}, "region": {"startLine": 99}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 142 more): Same pattern found in 142 additional files. Review if needed."}, "properties": {"repobilityId": 70099, "scanner": "repobility-threat-engine", "fingerprint": "3e7c4331d8f15c14107279b066e565b7df61b8205fde18a04ba63ccd249789d9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 142 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3e7c4331d8f15c14107279b066e565b7df61b8205fde18a04ba63ccd249789d9", "aggregated_count": 142}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 70098, "scanner": "repobility-threat-engine", "fingerprint": "d0a095aae8715dabdaae7c27ade8b9d599070d9a2def6d2cec7518a1b77f7697", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d0a095aae8715dabdaae7c27ade8b9d599070d9a2def6d2cec7518a1b77f7697"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/agent-group.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 70097, "scanner": "repobility-threat-engine", "fingerprint": "78633deb78030c0aac196e6c0bcd46c74305c4fb3acd3713de2dbeebc94c60a1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|78633deb78030c0aac196e6c0bcd46c74305c4fb3acd3713de2dbeebc94c60a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/scripts/auto-close-duplicates.ts"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 70096, "scanner": "repobility-threat-engine", "fingerprint": "c1a3c0ec253b1462816878ce100a6d4bfb0bf063df7fc2a36eaab713ff84b501", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c1a3c0ec253b1462816878ce100a6d4bfb0bf063df7fc2a36eaab713ff84b501"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/run.ts"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 70093, "scanner": "repobility-threat-engine", "fingerprint": "4c260b13dc7f84db5f6fb812ad708014d4afb712864d68ad6c19bf9c09dd5d76", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4c260b13dc7f84db5f6fb812ad708014d4afb712864d68ad6c19bf9c09dd5d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/tab-switch.js"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 70092, "scanner": "repobility-threat-engine", "fingerprint": "069c312d096d2648b3334932cf5162f61515c217576f08e5c3801123cc459752", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|069c312d096d2648b3334932cf5162f61515c217576f08e5c3801123cc459752"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/probe-dump.js"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 151 more): Same pattern found in 151 additional files. Review if needed."}, "properties": {"repobilityId": 70091, "scanner": "repobility-threat-engine", "fingerprint": "0eb7741eeddb4464cb10d0e9d67e5beb676ca6ba41cfe7f20bc7d0b983577415", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 151 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0eb7741eeddb4464cb10d0e9d67e5beb676ca6ba41cfe7f20bc7d0b983577415", "aggregated_count": 151}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 70090, "scanner": "repobility-threat-engine", "fingerprint": "872be74c6f986b492fd4c2435d8966d35055f1c8b378980796227cc07f2d3a52", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|872be74c6f986b492fd4c2435d8966d35055f1c8b378980796227cc07f2d3a52"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/botMessengers.ts"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 70089, "scanner": "repobility-threat-engine", "fingerprint": "64656eab38e8e1888275cdbca7825494e034e2f0406260ddab422fdeeb4684d2", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|64656eab38e8e1888275cdbca7825494e034e2f0406260ddab422fdeeb4684d2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/agent-group.ts"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 70088, "scanner": "repobility-threat-engine", "fingerprint": "305afb3e286ba93c03ae7ac30b476f8f37b5ad4ff7e0503cd089e581f159d709", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|305afb3e286ba93c03ae7ac30b476f8f37b5ad4ff7e0503cd089e581f159d709"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/analyze-events.ts"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 105 more): Same pattern found in 105 additional files. Review if needed."}, "properties": {"repobilityId": 70087, "scanner": "repobility-threat-engine", "fingerprint": "dea7751225846998330f7750e3457e6b2ba7f07e8aed290448e47284021ae978", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 105 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|dea7751225846998330f7750e3457e6b2ba7f07e8aed290448e47284021ae978", "aggregated_count": 105}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 70086, "scanner": "repobility-threat-engine", "fingerprint": "a7a874dbd86680fe94b66a725eb18a058c689b6078a9e829be594380a311c856", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a7a874dbd86680fe94b66a725eb18a058c689b6078a9e829be594380a311c856"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/run.ts"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 70085, "scanner": "repobility-threat-engine", "fingerprint": "209e520a4b1c4d7b1d6a88e090813f54f8e3dee2d62a7d9b6f01661c35435dff", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|209e520a4b1c4d7b1d6a88e090813f54f8e3dee2d62a7d9b6f01661c35435dff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/analyze.mjs"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 70084, "scanner": "repobility-threat-engine", "fingerprint": "617f65c90a7823e97753372b49d84d9f7ef704b30cf0b4253b97f764e4f61cc6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|617f65c90a7823e97753372b49d84d9f7ef704b30cf0b4253b97f764e4f61cc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/analyze-events.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 24 more): Same pattern found in 24 additional files. Review if needed."}, "properties": {"repobilityId": 70083, "scanner": "repobility-threat-engine", "fingerprint": "126918e20c14e564f5c3033ac0029d9f279421578a3163308e4900b237e44ff7", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 24 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|126918e20c14e564f5c3033ac0029d9f279421578a3163308e4900b237e44ff7"}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 55 more): Same pattern found in 55 additional files. Review if needed."}, "properties": {"repobilityId": 70079, "scanner": "repobility-threat-engine", "fingerprint": "8d20dfc2befa3eb413b2ab210f87e4dd6c3b64cbfe0a0c2c1da125bec510ae7c", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 55 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 55 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8d20dfc2befa3eb413b2ab210f87e4dd6c3b64cbfe0a0c2c1da125bec510ae7c"}}}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `paradedb/paradedb:latest` unpinned: `container/services image: paradedb/paradedb:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 70301, "scanner": "repobility-supply-chain", "fingerprint": "a20e68e1bf8b567fd9253ba85f1390df449013033c5f2465092038592b09d006", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a20e68e1bf8b567fd9253ba85f1390df449013033c5f2465092038592b09d006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-auto-e2e-testing.yml"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `paradedb/paradedb:latest` unpinned: `container/services image: paradedb/paradedb:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 70300, "scanner": "repobility-supply-chain", "fingerprint": "33cb5d3e9aea5b2e0a935348b7f53cf4d0053049aa6710336c07d3633914a7fb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|33cb5d3e9aea5b2e0a935348b7f53cf4d0053049aa6710336c07d3633914a7fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/e2e.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `paradedb/paradedb:latest` unpinned: `container/services image: paradedb/paradedb:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 70299, "scanner": "repobility-supply-chain", "fingerprint": "baf044e7b47e4e4ac11d2a1bf40dad6fae84853639d5dd7064883b74767e68b5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|baf044e7b47e4e4ac11d2a1bf40dad6fae84853639d5dd7064883b74767e68b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70284, "scanner": "repobility-supply-chain", "fingerprint": "86e036c20761616f01f5bd16d1d7d9dc895e1d51aed4d6fa7e2b23941e47787f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86e036c20761616f01f5bd16d1d7d9dc895e1d51aed4d6fa7e2b23941e47787f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sync-database-schema.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-pull-request` pinned to mutable ref `@v7`: `uses: peter-evans/create-pull-request@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70283, "scanner": "repobility-supply-chain", "fingerprint": "9e04f017d7b1eb62fa5a2d5b3186665ae5d303ff262c6752366e99a41b12a7bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9e04f017d7b1eb62fa5a2d5b3186665ae5d303ff262c6752366e99a41b12a7bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-i18n.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70282, "scanner": "repobility-supply-chain", "fingerprint": "2cfb92aed793fbc168edfe15b48088c5ba481e72988233e0b62d63e37cac4b5c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2cfb92aed793fbc168edfe15b48088c5ba481e72988233e0b62d63e37cac4b5c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto-i18n.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70281, "scanner": "repobility-supply-chain", "fingerprint": "527ad1f5986f0bb9875751931d3c1c65ceb41e83371b87f045a4dd9585bec70d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|527ad1f5986f0bb9875751931d3c1c65ceb41e83371b87f045a4dd9585bec70d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-model-bank.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70280, "scanner": "repobility-supply-chain", "fingerprint": "4dd3553600d2e2f2ad8081942c9ec9f1168fdea0162866639398cd5c20246168", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4dd3553600d2e2f2ad8081942c9ec9f1168fdea0162866639398cd5c20246168"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-model-bank.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70279, "scanner": "repobility-supply-chain", "fingerprint": "88fabb9930f99e5b32d5e193796c45f3a294dcbb99ec3256e523ce4af7be27c8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|88fabb9930f99e5b32d5e193796c45f3a294dcbb99ec3256e523ce4af7be27c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-model-bank.yml"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70278, "scanner": "repobility-supply-chain", "fingerprint": "2af44c4322503a6187365972ff6b066e4e9cfdde5d418e154ab21231f5676e9f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2af44c4322503a6187365972ff6b066e4e9cfdde5d418e154ab21231f5676e9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-model-bank.yml"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70277, "scanner": "repobility-supply-chain", "fingerprint": "42332d69bf68e98edf33e973cbe78f3ff146ff5812bf903e136470cf09c70355", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|42332d69bf68e98edf33e973cbe78f3ff146ff5812bf903e136470cf09c70355"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-model-bank.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70276, "scanner": "repobility-supply-chain", "fingerprint": "43c5c8a27ebbfb7f7659d649f0f7796d6610097f9127f3cf33238d66bc8783d4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43c5c8a27ebbfb7f7659d649f0f7796d6610097f9127f3cf33238d66bc8783d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release-model-bank.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70275, "scanner": "repobility-supply-chain", "fingerprint": "82d39bb4619f38766672375f8ec43dace022b25f9bcc915637c4df90372ce383", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|82d39bb4619f38766672375f8ec43dace022b25f9bcc915637c4df90372ce383"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-analyzer.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70274, "scanner": "repobility-supply-chain", "fingerprint": "bfa0dbd6dfa33de50367a6a2d8f5e9a56c9a51f0b5a41645201cd0d88e14e7ae", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bfa0dbd6dfa33de50367a6a2d8f5e9a56c9a51f0b5a41645201cd0d88e14e7ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/bundle-analyzer.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70273, "scanner": "repobility-supply-chain", "fingerprint": "672b206fbe5df0b6e759490b28775842089de337fd4dcfc94eb1a9fd32d608f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|672b206fbe5df0b6e759490b28775842089de337fd4dcfc94eb1a9fd32d608f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-dedupe-issues.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70272, "scanner": "repobility-supply-chain", "fingerprint": "0d38d1eddc40d4878a6b75a3bfd5bc6fb283ca1dda4112701a4359f2e219fba6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d38d1eddc40d4878a6b75a3bfd5bc6fb283ca1dda4112701a4359f2e219fba6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-dedupe-issues.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70271, "scanner": "repobility-supply-chain", "fingerprint": "73614e413ccadfe13ec07437c737449e60222e1ae7d5956a3e665ceac2c90ea6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73614e413ccadfe13ec07437c737449e60222e1ae7d5956a3e665ceac2c90ea6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-issue-triage.yml"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70270, "scanner": "repobility-supply-chain", "fingerprint": "e2737e35d47690899a1c002ebbfa0f847c4d6149cf18dea32606eb2555adb629", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e2737e35d47690899a1c002ebbfa0f847c4d6149cf18dea32606eb2555adb629"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-issue-triage.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `paradedb/paradedb:latest` unpinned: `container/services image: paradedb/paradedb:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 70269, "scanner": "repobility-supply-chain", "fingerprint": "be4eee8ef43f6edf3f839870b69db0e552637b546c2a17f9a46d8aa74c28dfc7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be4eee8ef43f6edf3f839870b69db0e552637b546c2a17f9a46d8aa74c28dfc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 231}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v5`: `uses: codecov/codecov-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70266, "scanner": "repobility-supply-chain", "fingerprint": "5be1000f1900bdd3f95eabbea591769cc7d669c790cfafe37a79813c965454bf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5be1000f1900bdd3f95eabbea591769cc7d669c790cfafe37a79813c965454bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 271}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v5`: `uses: codecov/codecov-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70265, "scanner": "repobility-supply-chain", "fingerprint": "9654c8052ffb0585901de6fc5095f9a515d7863e601b071f152ff688a15b4e9c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9654c8052ffb0585901de6fc5095f9a515d7863e601b071f152ff688a15b4e9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 216}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `codecov/codecov-action` pinned to mutable ref `@v5`: `uses: codecov/codecov-action@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70264, "scanner": "repobility-supply-chain", "fingerprint": "edc63666314ca1376d698cd04828fc422c6474c582c34a199acc7918d6fba159", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|edc63666314ca1376d698cd04828fc422c6474c582c34a199acc7918d6fba159"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 174}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70263, "scanner": "repobility-supply-chain", "fingerprint": "c7f8483458881e138dd38205ec0accdeff81dc156b838ea604411204ad5f3242", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c7f8483458881e138dd38205ec0accdeff81dc156b838ea604411204ad5f3242"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 164}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70262, "scanner": "repobility-supply-chain", "fingerprint": "71c9b3a027c6efa184f9d2071e8ea62e719348d429d78fa74fb00a7940e5a3a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|71c9b3a027c6efa184f9d2071e8ea62e719348d429d78fa74fb00a7940e5a3a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `fkirc/skip-duplicate-actions` pinned to mutable ref `@v5`: `uses: fkirc/skip-duplicate-actions@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70261, "scanner": "repobility-supply-chain", "fingerprint": "8492f9f6a5e185fcc06b54a57e7014a6d28a586d309e0db93b3b8d40c064df65", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8492f9f6a5e185fcc06b54a57e7014a6d28a586d309e0db93b3b8d40c064df65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70260, "scanner": "repobility-supply-chain", "fingerprint": "99bc195d8ccad44b7b73049303b0b22a3977ec5244e29b8084067e3cea9a0bc8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|99bc195d8ccad44b7b73049303b0b22a3977ec5244e29b8084067e3cea9a0bc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-translate-comments.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70259, "scanner": "repobility-supply-chain", "fingerprint": "3db9cc76dc819db0909cd84f774db2deef29dc6715cf23612a7f305e89a98666", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3db9cc76dc819db0909cd84f774db2deef29dc6715cf23612a7f305e89a98666"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-translate-comments.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70258, "scanner": "repobility-supply-chain", "fingerprint": "17c91a9578f9e6c6d10573456f4162c4d43ffd828d0cbf82be3f3bbc588d600a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|17c91a9578f9e6c6d10573456f4162c4d43ffd828d0cbf82be3f3bbc588d600a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-pr-assign.yml"}, "region": {"startLine": 84}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 70257, "scanner": "repobility-supply-chain", "fingerprint": "4dd80726b123f5312803ca610f4caff7cb30b72754383cd4965f3921d585becf", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4dd80726b123f5312803ca610f4caff7cb30b72754383cd4965f3921d585becf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/claude-pr-assign.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 70256, "scanner": "repobility-supply-chain", "fingerprint": "97680d302b2ceafc9c3595d04091f61a881d4b33bc257c4c7337eb627245c80c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|97680d302b2ceafc9c3595d04091f61a881d4b33bc257c4c7337eb627245c80c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/file-loaders/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED122", "level": "error", "message": {"text": "[MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload."}, "properties": {"repobilityId": 70255, "scanner": "repobility-supply-chain", "fingerprint": "fd424173ee4ef271d725a9c1c194640fed9f0463c479c76a510178780ad298f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "npm-dep-git-or-tarball-url", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["javascript"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fd424173ee4ef271d725a9c1c194640fed9f0463c479c76a510178780ad298f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eval-dataset-parser/package.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `busybox:latest` not pinned by digest: `FROM busybox:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 70254, "scanner": "repobility-supply-chain", "fingerprint": "4824b333c1ec3c4fbc3074b6a7c4a7374564c794f049e21155ea30ec92053d72", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|4824b333c1ec3c4fbc3074b6a7c4a7374564c794f049e21155ea30ec92053d72"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 105}}}]}, {"ruleId": "JRN004", "level": "error", "message": {"text": "Consent is collected in UI without visible backend audit persistence"}, "properties": {"repobilityId": 70247, "scanner": "repobility-journey-contract", "fingerprint": "4ea91673938cf67e935e71a0aaadd84136eff1495fda7bdf5a36449f08689d27", "category": "auth", "severity": "high", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Frontend consent wording was found, but backend consent/audit metadata was not visible.", "evidence": {"rule_id": "JRN004", "scanner": "repobility-journey-contract", "references": ["https://repobility.com/library/authorization/"], "correlation_key": "code|auth|token|51|jrn004", "backend_consent_model": false, "backend_audit_signal_count": 2}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-skills/src/lobehub/references/bot-lark.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 70197, "scanner": "repobility-docker", "fingerprint": "41069323f62bc1db39e106c356a0a2f8ef12cdbc9d2d83b97e9588060fd52b12", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|41069323f62bc1db39e106c356a0a2f8ef12cdbc9d2d83b97e9588060fd52b12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/dev/docker-compose.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 70184, "scanner": "repobility-docker", "fingerprint": "f634bf73c1db96018658687f079b7e6e46667ce9c8acbb1567e33539e22276bb", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|f634bf73c1db96018658687f079b7e6e46667ce9c8acbb1567e33539e22276bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/deploy/docker-compose.yml"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC027", "level": "error", "message": {"text": "[SEC027] XML External Entity (XXE) \u2014 Node.js xml parsers: Node.js XML parsers can expand external entities if not configured. libxmljs in particular has had XXE CVEs."}, "properties": {"repobilityId": 70149, "scanner": "repobility-threat-engine", "fingerprint": "8f4c42793b6b30cfe036cfbbbf18d5a6dfac56f9b3874631cb0e6bde2c270c16", "category": "xxe", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new DOMParser()", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC027", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8f4c42793b6b30cfe036cfbbbf18d5a6dfac56f9b3874631cb0e6bde2c270c16"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/file-loaders/src/utils/parser-utils.ts"}, "region": {"startLine": 17}}}]}, {"ruleId": "SEC013", "level": "error", "message": {"text": "[SEC013] Path Traversal \u2014 User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files."}, "properties": {"repobilityId": 70148, "scanner": "repobility-threat-engine", "fingerprint": "21aca4642013befd517e344cf2934e540b5b8118bca4450786791bf8b04da363", "category": "path_traversal", "severity": "high", "confidence": 0.8, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "User-controlled input detected in file path construction", "evidence": {"match": "open(zipInput", "reason": "User-controlled input detected in file path construction", "rule_id": "SEC013", "scanner": "repobility-threat-engine", "confidence": 0.8, "correlation_key": "code|path_traversal|token|102|sec013"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/file-loaders/src/utils/parser-utils.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 70147, "scanner": "repobility-threat-engine", "fingerprint": "b85fdc712eb72247e4a733f3d01cdd76f58271b3cef36726342371ce51fb66c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b85fdc712eb72247e4a733f3d01cdd76f58271b3cef36726342371ce51fb66c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/electron-client-ipc/src/types/heterogeneousAgent.ts"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 70145, "scanner": "repobility-threat-engine", "fingerprint": "8598798e118c08709ee2b73e92818db7ef17af34027251d54cc7d0a6aaa6bae6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8598798e118c08709ee2b73e92818db7ef17af34027251d54cc7d0a6aaa6bae6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/context-engine/src/engine/tools/ToolNameResolver.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 70144, "scanner": "repobility-threat-engine", "fingerprint": "ec7a38763320a74ba27625dfc0dcb94d0c54192202033a9ddb00eb7eff0976f6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec7a38763320a74ba27625dfc0dcb94d0c54192202033a9ddb00eb7eff0976f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/chat-adapter-wechat/src/types.ts"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 70143, "scanner": "repobility-threat-engine", "fingerprint": "045edd73a17b3f3aa31deac159861650e335da2302b371957cd8de2c5322c18f", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(scope, input", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|40|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/builtin-tool-local-system/src/utils/path.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 70135, "scanner": "repobility-threat-engine", "fingerprint": "1336a8cca9c5552fb893161008359c80971be024a5cdd50d03af408f8a1c524d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(extractor", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1336a8cca9c5552fb893161008359c80971be024a5cdd50d03af408f8a1c524d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/eval-rubric/src/extractors.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 70134, "scanner": "repobility-threat-engine", "fingerprint": "e59c730e3170b09b5f7bff5c91145fe8597ce83dce1985702fca673a63b2c5b8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(rules", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e59c730e3170b09b5f7bff5c91145fe8597ce83dce1985702fca673a63b2c5b8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/database/src/models/agentDocuments/policy/loadPolicy.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 70133, "scanner": "repobility-threat-engine", "fingerprint": "31c5a2cbcb468e03d8e532f635f8a53021ed0104fe1ef5f507483b233e4a2318", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|31c5a2cbcb468e03d8e532f635f8a53021ed0104fe1ef5f507483b233e4a2318"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent-runtime/src/core/InterventionChecker.ts"}, "region": {"startLine": 182}}}]}, {"ruleId": "MINED027", "level": "error", "message": {"text": "[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState \u2014 React skips re-render on mutated reference."}, "properties": {"repobilityId": 70130, "scanner": "repobility-threat-engine", "fingerprint": "825cfc51070b739618ab2faf96122036b7ed9ca1b9d6b17181f79c09ff484e9d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-state-array-mutation", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347961+00:00", "triaged_in_corpus": 15, "observations_count": 14444, "ai_coder_pattern_id": 136}, "scanner": "repobility-threat-engine", "correlation_key": "fp|825cfc51070b739618ab2faf96122036b7ed9ca1b9d6b17181f79c09ff484e9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent-runtime/examples/tools-calling.ts"}, "region": {"startLine": 172}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 70125, "scanner": "repobility-threat-engine", "fingerprint": "65cb7bf781d6c2ec4366e49b23524f40960903ae8ddea5886a7e5bac4b6aa71f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.detectors.delete(name);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|65cb7bf781d6c2ec4366e49b23524f40960903ae8ddea5886a7e5bac4b6aa71f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/core/infrastructure/ToolDetectorManager.ts"}, "region": {"startLine": 114}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 70124, "scanner": "repobility-threat-engine", "fingerprint": "3980d5c99e74f44241535203b9fa487cd08c22578d1ac1f00bc578fc66971956", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.store.delete(key);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3980d5c99e74f44241535203b9fa487cd08c22578d1ac1f00bc578fc66971956"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/core/infrastructure/StoreManager.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 70123, "scanner": "repobility-threat-engine", "fingerprint": "6bbb3ef52fbfb8765d02ac306b242bd48eb68b052b4fb58ef0b9967b4303da75", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.previewTokens.delete(token);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6bbb3ef52fbfb8765d02ac306b242bd48eb68b052b4fb58ef0b9967b4303da75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/core/infrastructure/LocalFileProtocolManager.ts"}, "region": {"startLine": 290}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 70121, "scanner": "repobility-threat-engine", "fingerprint": "116e83b6d337296550b1f0116281a2ad7595b4e449c235608d9da938da8a38bc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|116e83b6d337296550b1f0116281a2ad7595b4e449c235608d9da938da8a38bc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/utils/git.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 70120, "scanner": "repobility-threat-engine", "fingerprint": "40f34b28db01ceea1743811435d6016ca153e789d43917a3e0d67e3f291b4d4b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(rangeHeader", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|40f34b28db01ceea1743811435d6016ca153e789d43917a3e0d67e3f291b4d4b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/core/infrastructure/RendererProtocolManager.ts"}, "region": {"startLine": 116}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 70119, "scanner": "repobility-threat-engine", "fingerprint": "03c412936a81c3620204daffc6813d6ffd8e58b3e8afd840f1fd802da7b739f3", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(params", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|03c412936a81c3620204daffc6813d6ffd8e58b3e8afd840f1fd802da7b739f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/src/main/controllers/ShellCommandCtr.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 70082, "scanner": "repobility-threat-engine", "fingerprint": "fce674a0357197787136d322779f72b2da94644b58eaab913776e2fd62609ec9", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((m) => `- ${m}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fce674a0357197787136d322779f72b2da94644b58eaab913776e2fd62609ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/config.ts"}, "region": {"startLine": 130}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 70081, "scanner": "repobility-threat-engine", "fingerprint": "1334b5092375be380dacdcc1a03ffe4c12d217e7156a478deb37894e29277804", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((l) => `${l.level}: ${l.message}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1334b5092375be380dacdcc1a03ffe4c12d217e7156a478deb37894e29277804"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/run.ts"}, "region": {"startLine": 61}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 70080, "scanner": "repobility-threat-engine", "fingerprint": "386489dbdcf9ed889954fe735a395cd6232a65147298b8526a3eb9438ee7e477", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((m) => `${m.id}:${m.role}/c${m.cLen}/r${m.rLen}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|386489dbdcf9ed889954fe735a395cd6232a65147298b8526a3eb9438ee7e477"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/scripts/agent-gateway/analyze-events.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 70078, "scanner": "repobility-threat-engine", "fingerprint": "5514dc37c22ff342e9b72e3f0a28d632c29d7719c1503d374ae1c71825c1e03e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL (c", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5514dc37c22ff342e9b72e3f0a28d632c29d7719c1503d374ae1c71825c1e03e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/commands/file.ts"}, "region": {"startLine": 117}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 70077, "scanner": "repobility-threat-engine", "fingerprint": "e8a0a6c2a862282d841be10bd242722691a9eec193dc64e53b57d5f41da29104", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Url(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e8a0a6c2a862282d841be10bd242722691a9eec193dc64e53b57d5f41da29104"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/cli/src/auth/apiKey.ts"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 70076, "scanner": "repobility-threat-engine", "fingerprint": "95b1f107af4cfbc0cc7a27829262fd4f394f7476e7ad1fdb7c0537423a1aef5b", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "urllib.request.urlopen(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95b1f107af4cfbc0cc7a27829262fd4f394f7476e7ad1fdb7c0537423a1aef5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/local-testing/bot/imessage/send-imessage-test.sh"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_REGISTRY_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_REGISTRY_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70305, "scanner": "repobility-supply-chain", "fingerprint": "d51ede0cb1e8e5cd088d4a14da81b58dd494a188d734449426bf230b737a7c65", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d51ede0cb1e8e5cd088d4a14da81b58dd494a188d734449426bf230b737a7c65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-docker.yml"}, "region": {"startLine": 142}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_REGISTRY_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_REGISTRY_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70304, "scanner": "repobility-supply-chain", "fingerprint": "0fbc310c0a3ab399c59719bb9e13ea6fd6a745787c110ad2daa0e63ce384994e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0fbc310c0a3ab399c59719bb9e13ea6fd6a745787c110ad2daa0e63ce384994e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-docker.yml"}, "region": {"startLine": 141}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_REGISTRY_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_REGISTRY_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70303, "scanner": "repobility-supply-chain", "fingerprint": "c8a4e39f70fc4e1180f05a423996f0f6f60df4818ad1de8233f35c127c819c34", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c8a4e39f70fc4e1180f05a423996f0f6f60df4818ad1de8233f35c127c819c34"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-docker.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DOCKER_REGISTRY_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_REGISTRY_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70302, "scanner": "repobility-supply-chain", "fingerprint": "f85b84667529794a22d8dfad61a923c1c8d3f7fca5db776624356cc7d8d182d9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f85b84667529794a22d8dfad61a923c1c8d3f7fca5db776624356cc7d8d182d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-docker.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UMAMI_NIGHTLY_DESKTOP_BASE_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UMAMI_NIGHTLY_DESKTOP_BASE_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70298, "scanner": "repobility-supply-chain", "fingerprint": "c68ac08fc2f2528bfcc633b2add1840b63c757cd78f82553e948dd49918d2b0a", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c68ac08fc2f2528bfcc633b2add1840b63c757cd78f82553e948dd49918d2b0a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UMAMI_NIGHTLY_DESKTOP_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UMAMI_NIGHTLY_DESKTOP_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70297, "scanner": "repobility-supply-chain", "fingerprint": "8670865ea488bf9cef31c9fb20c086c6a5283846e650cb4d107a66e84d6feb0d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8670865ea488bf9cef31c9fb20c086c6a5283846e650cb4d107a66e84d6feb0d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 155}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UPDATE_SERVER_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UPDATE_SERVER_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70296, "scanner": "repobility-supply-chain", "fingerprint": "a43e379b4a99a380d30e963b2be19c31e883d8408fcc952bc685f2bd7a29cd4e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a43e379b4a99a380d30e963b2be19c31e883d8408fcc952bc685f2bd7a29cd4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 151}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UMAMI_NIGHTLY_DESKTOP_BASE_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UMAMI_NIGHTLY_DESKTOP_BASE_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70295, "scanner": "repobility-supply-chain", "fingerprint": "bc783e7f3677f3319e7fe9e1e37ef7c6871ac2cd3a7896cd1057e8afa5880347", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc783e7f3677f3319e7fe9e1e37ef7c6871ac2cd3a7896cd1057e8afa5880347"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 139}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UMAMI_NIGHTLY_DESKTOP_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UMAMI_NIGHTLY_DESKTOP_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70294, "scanner": "repobility-supply-chain", "fingerprint": "5ab550eb1daebd953f79c4a54875b3ad576dace308ab627fd2a7b3426b2ddc14", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5ab550eb1daebd953f79c4a54875b3ad576dace308ab627fd2a7b3426b2ddc14"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 138}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UPDATE_SERVER_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UPDATE_SERVER_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70293, "scanner": "repobility-supply-chain", "fingerprint": "2e04800aabd63afd2de0175f6a2fafc4548da22486f22e5f1bdcd70fb8fff3bb", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e04800aabd63afd2de0175f6a2fafc4548da22486f22e5f1bdcd70fb8fff3bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 134}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_TEAM_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_TEAM_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70292, "scanner": "repobility-supply-chain", "fingerprint": "0d63b7de77d2d0d7fd9d75d3c56af5516dcec7f8306908704490a233aa5c54c9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0d63b7de77d2d0d7fd9d75d3c56af5516dcec7f8306908704490a233aa5c54c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_APP_SPECIFIC_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_APP_SPECIFIC_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70291, "scanner": "repobility-supply-chain", "fingerprint": "1d4093ce30c5b6ef336397ad396113c5b696e93ff69e7e6f44dedbecc90de2dc", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1d4093ce30c5b6ef336397ad396113c5b696e93ff69e7e6f44dedbecc90de2dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70290, "scanner": "repobility-supply-chain", "fingerprint": "e0054040145da4caf4ce76781c225eea1a41097f829d6c999c8a8fbed276b2e6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e0054040145da4caf4ce76781c225eea1a41097f829d6c999c8a8fbed276b2e6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UMAMI_NIGHTLY_DESKTOP_BASE_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UMAMI_NIGHTLY_DESKTOP_BASE_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70289, "scanner": "repobility-supply-chain", "fingerprint": "674706c8235d84143b04ea1eed7eae85bd05c083269f2726a1ed17becbcff353", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|674706c8235d84143b04ea1eed7eae85bd05c083269f2726a1ed17becbcff353"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UMAMI_NIGHTLY_DESKTOP_PROJECT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UMAMI_NIGHTLY_DESKTOP_PROJECT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70288, "scanner": "repobility-supply-chain", "fingerprint": "cd49301337caf2c772806893d0d678e0102b914cbdf8af882b3fea7465ad9dfa", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd49301337caf2c772806893d0d678e0102b914cbdf8af882b3fea7465ad9dfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 117}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_CERTIFICATE_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_CERTIFICATE_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70287, "scanner": "repobility-supply-chain", "fingerprint": "d307b312e49ac1f5683c047a79caee1b675f7bea712a19af6a67024c1ec000f6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d307b312e49ac1f5683c047a79caee1b675f7bea712a19af6a67024c1ec000f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 116}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.APPLE_CERTIFICATE_BASE64` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.APPLE_CERTIFICATE_BASE64 }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70286, "scanner": "repobility-supply-chain", "fingerprint": "a7437e17a44b7c8e8759a1eeb96b9d5315f9425bad64d597eb358a1423758137", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a7437e17a44b7c8e8759a1eeb96b9d5315f9425bad64d597eb358a1423758137"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.UPDATE_SERVER_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UPDATE_SERVER_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 70285, "scanner": "repobility-supply-chain", "fingerprint": "999a917e3da85c666776a87a96286652144cedcd1a97f64857f0fbd1d9ff3fdd", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|999a917e3da85c666776a87a96286652144cedcd1a97f64857f0fbd1d9ff3fdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-build-desktop.yml"}, "region": {"startLine": 109}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.head.ref in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.ref }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 70268, "scanner": "repobility-supply-chain", "fingerprint": "dee20e3d94812547902593fa69032d2aa75fbccb33adde293d981b8f84f5045e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dee20e3d94812547902593fa69032d2aa75fbccb33adde293d981b8f84f5045e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED125", "level": "error", "message": {"text": "[MINED125] GHA script injection via github.event.pull_request.head.label in run-step: Multi-line `run: |` block interpolates ${{ github.event.pull_request.head.label }} into shell. PR title/body/branch/comment fields are attacker-controllable."}, "properties": {"repobilityId": 70267, "scanner": "repobility-supply-chain", "fingerprint": "0f3357f2c859c41da830c86de4f18dfd22daf5c9c168951b93218a90b418219b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-script-injection", "owasp": "A03:2021", "cwe_ids": ["CWE-78", "CWE-94"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0f3357f2c859c41da830c86de4f18dfd22daf5c9c168951b93218a90b418219b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test.yml"}, "region": {"startLine": 79}}}]}, {"ruleId": "JRN001", "level": "error", "message": {"text": "Token handoff appears to use a callback URL or fragment"}, "properties": {"repobilityId": 70231, "scanner": "repobility-journey-contract", "fingerprint": "fcb846388f6642d6bf9fa0eb0feeea6bc63d8a77892e619ace431ca77fe6653d", "category": "auth", "severity": "critical", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Callback/redirect wording, token-in-URL syntax, and navigation code appear near each other.", "evidence": {"rule_id": "JRN001", "scanner": "repobility-journey-contract", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html", "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html"], "correlation_key": "code|auth|src/app/ variants / auth /reset-password/page.tsx|5|jrn001"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/app/[variants]/(auth)/reset-password/page.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 70217, "scanner": "repobility-docker", "fingerprint": "73fdb1ca42e8ea22554fe6f3121e7004a868118186c86ca75b6f73e6ee4f10f9", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "lobe", "variable": "KEY_VAULTS_SECRET", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|73fdb1ca42e8ea22554fe6f3121e7004a868118186c86ca75b6f73e6ee4f10f9", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose/production/grafana/docker-compose.yml"}, "region": {"startLine": 159}}}]}, {"ruleId": "DKR005", "level": "error", "message": {"text": "Docker image bakes a secret-like ENV value"}, "properties": {"repobilityId": 70174, "scanner": "repobility-docker", "fingerprint": "66558aee9053fda327d820f389a21eed053d985d97665b73f750bea9d6945bec", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "ENV assigns a literal value to a secret-like variable name.", "evidence": {"rule_id": "DKR005", "scanner": "repobility-docker", "variable": "KEY_VAULTS_SECRET", "references": ["https://docs.docker.com/build/building/secrets/", "https://docs.docker.com/compose/how-tos/environment-variables/best-practices/"], "correlation_key": "fp|66558aee9053fda327d820f389a21eed053d985d97665b73f750bea9d6945bec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 46}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 70146, "scanner": "repobility-threat-engine", "fingerprint": "ac3c1bdefdf508c4f3369b6d8321d6e7735eb69b0489b362f0114c318bd0c1fc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ac3c1bdefdf508c4f3369b6d8321d6e7735eb69b0489b362f0114c318bd0c1fc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/context-engine/src/processors/InputTemplate.ts"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 70132, "scanner": "repobility-threat-engine", "fingerprint": "0fc62b9d9b2a3461bd4af7fefeb90b074f8f996502bbae3c739236b82991535a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0fc62b9d9b2a3461bd4af7fefeb90b074f8f996502bbae3c739236b82991535a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent-runtime/src/agents/GraphAgent.ts"}, "region": {"startLine": 284}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 70131, "scanner": "repobility-threat-engine", "fingerprint": "4e412dc1c0cfef077c85f1e7e5712cf50f6df4b576ba422699e0edf0d68d8358", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4e412dc1c0cfef077c85f1e7e5712cf50f6df4b576ba422699e0edf0d68d8358"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "packages/agent-runtime/examples/tools-calling.ts"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 70114, "scanner": "repobility-threat-engine", "fingerprint": "70ffdd65c80cfa5f14a40fda738f7c2aa7143b108d5b680d49b25b9907bc7025", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(srcDefaultLocales", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|70ffdd65c80cfa5f14a40fda738f7c2aa7143b108d5b680d49b25b9907bc7025"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/i18nWorkflow/genDiff.ts"}, "region": {"startLine": 18}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 70113, "scanner": "repobility-threat-engine", "fingerprint": "e0e133ed8e2c2727c528195cd583f6aae333760e79595160733d418d20dd7c38", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(srcDefaultLocales", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e0e133ed8e2c2727c528195cd583f6aae333760e79595160733d418d20dd7c38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "apps/desktop/scripts/i18nWorkflow/genDefaultLocale.ts"}, "region": {"startLine": 19}}}]}]}]}