{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC125", "name": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeh", "shortDescription": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim "}, "fullDescription": {"text": "Replace with env lookup: `API_KEY = os.environ['SERVICE_API_KEY']`. Move actual key to a secret manager. Add a startup check that the env var is non-empty so missing config fails loudly instead of shipping the placeholder."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC003", "name": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code.", "shortDescription": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "fullDescription": {"text": "Never commit secrets. Use .env files with .gitignore."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED077", "name": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.", "shortDescription": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-772 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `gcr.io/datadoghq/agent:latest` unpinned: `container/services image: gcr.io", "shortDescription": {"text": "[MINED126] Workflow container/services image `gcr.io/datadoghq/agent:latest` unpinned: `container/services image: gcr.io/datadoghq/agent:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container refere"}, "fullDescription": {"text": "Replace with `gcr.io/datadoghq/agent:latest@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.double_emphasis` used but never assigned in __init__: Method `header` of class `CustomRenderer` reads `", "shortDescription": {"text": "[MINED108] `self.double_emphasis` used but never assigned in __init__: Method `header` of class `CustomRenderer` reads `self.double_emphasis`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeEr"}, "fullDescription": {"text": "Initialize `self.double_emphasis = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `find_obj` has cognitive complexity 45 (SonarSource scale). Cognitive comp", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `find_obj` has cognitive complexity 45 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all "}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 45."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.DD_CLIENT_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_reques", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.DD_CLIENT_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DD_CLIENT_APP_KEY }` lets a PR from any fork exfiltrate th"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1030"}, "properties": {"repository": "DataDog/datadog-api-client-python", "repoUrl": "https://github.com/DataDog/datadog-api-client-python", "branch": "master"}, "results": [{"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 96597, "scanner": "repobility-ast-engine", "fingerprint": "6cb6d8b261c9829cb2f3de00b56635f7b3cd4df1a6462e634b7e3cc6108264fd", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6cb6d8b261c9829cb2f3de00b56635f7b3cd4df1a6462e634b7e3cc6108264fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/datadog/aws.py"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 96595, "scanner": "repobility-ast-engine", "fingerprint": "5519c3a18c6dcb8405ba4c0439abab15a3b9a4f20e3e68ef2f5cdddd7b4a1421", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|5519c3a18c6dcb8405ba4c0439abab15a3b9a4f20e3e68ef2f5cdddd7b4a1421"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".generator/conftest.py"}, "region": {"startLine": 97}}}]}, {"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 96594, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "SEC125", "level": "warning", "message": {"text": "[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = \"your-api-key-here\"` instead of pulling from env. These get committed verbatim \u2014 production code with a literal placeholder string is a near-certain bug, and the value also leaks what credential type the system expects to authentication crawlers. CWE-1188. Distinctive AI footprint: the exact phrase shape `your-X-here` is uncommon in hand"}, "properties": {"repobilityId": 96593, "scanner": "repobility-threat-engine", "fingerprint": "16834d4353a9c86779b725a14eccd2b31922612b162083e94418811e7c1fff5e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"<YOUR-API-KEY>\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC125", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|16834d4353a9c86779b725a14eccd2b31922612b162083e94418811e7c1fff5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/synthetics/CreateSyntheticsAPITest_2547523542.py"}, "region": {"startLine": 69}}}]}, {"ruleId": "SEC003", "level": "warning", "message": {"text": "[SEC003] Hardcoded Secret: Hardcoded secret key found in source code."}, "properties": {"repobilityId": 96592, "scanner": "repobility-threat-engine", "fingerprint": "f19debabac245e10c744c82449397288bbad966acae665a5cca0d58251253b1a", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "secret_key=\"secretKey\"", "reason": "Low entropy value (2.6 bits) \u2014 may be placeholder or common string | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC003", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|token|8|secret_key secretkey"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/synthetics/CreateSyntheticsAPITest_1717840259.py"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 96586, "scanner": "repobility-threat-engine", "fingerprint": "0aba779fd8c8a3d7939661bdcf45138b369883939b21b9a000d57c288c16a534", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url=\"https://example.org", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|0aba779fd8c8a3d7939661bdcf45138b369883939b21b9a000d57c288c16a534"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/synthetics/CreateSyntheticsAPITest_2547523542.py"}, "region": {"startLine": 65}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 96585, "scanner": "repobility-threat-engine", "fingerprint": "719abe4f91a427612d11886153ff2be8fed818662fb9dbf4c8bb0aa5933baa86", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url=\"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|719abe4f91a427612d11886153ff2be8fed818662fb9dbf4c8bb0aa5933baa86"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/synthetics/CreateSyntheticsAPITest.py"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 96584, "scanner": "repobility-threat-engine", "fingerprint": "f2e509962b36d11ed1504af5c664d39f1360e8c262b8eda9fe0f3a25dae0f27f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url=\"https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f2e509962b36d11ed1504af5c664d39f1360e8c262b8eda9fe0f3a25dae0f27f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/dashboards/CreateDashboard_651038379.py"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 96589, "scanner": "repobility-threat-engine", "fingerprint": "8c0b654c97415d999c1fdb8bbba07de77b79fb7341cb6668a77bf8209211aca0", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path] Collapsed 1 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"match": "password=\"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|4|password redacted", "duplicate_count": 1, "duplicate_rule_ids": ["SEC001"], "duplicate_scanners": ["repobility-threat-engine"], "duplicate_fingerprints": ["104ebe3263e76a4c3e67f492c0f4caade0e17d3308448a4bd077e039499bf69f", "8c0b654c97415d999c1fdb8bbba07de77b79fb7341cb6668a77bf8209211aca0"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/synthetics/CreateSyntheticsAPITest_1717840259.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "SEC001", "level": "none", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 96588, "scanner": "repobility-threat-engine", "fingerprint": "a1f2742e0b3ef25445732c88e6126d499f0d863baec90bf650a8f3913c643747", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "password=\"<redacted>\"", "reason": "Value looks like a development placeholder, not a live credential | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|23|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/synthetics/CreateSyntheticsAPITest_1279271422.py"}, "region": {"startLine": 233}}}]}, {"ruleId": "MINED077", "level": "none", "message": {"text": "[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles."}, "properties": {"repobilityId": 96587, "scanner": "repobility-threat-engine", "fingerprint": "0ef0d28da879872f1e88e8d33f2c0f357695b22b82cba78d80db0548f0236701", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-open-no-context", "owasp": null, "cwe_ids": ["CWE-772"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348081+00:00", "triaged_in_corpus": 12, "observations_count": 7864, "ai_coder_pattern_id": 123}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0ef0d28da879872f1e88e8d33f2c0f357695b22b82cba78d80db0548f0236701"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/organizations/UploadIdPForOrg.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 96583, "scanner": "repobility-threat-engine", "fingerprint": "27758d949571858de3bded52fbd64c72bf477e88d9c3de9aac7b7db07f586f0f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27758d949571858de3bded52fbd64c72bf477e88d9c3de9aac7b7db07f586f0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/datadog/aws.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 96582, "scanner": "repobility-threat-engine", "fingerprint": "b9d625859bcab90f3957dbade7b3bd10a948f75d71e90fc85e93b8a09d2da992", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "print(\"Please set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN\")", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|examples/datadog/aws.py|2|print please set aws_access_key_id aws_secret_access_key and aws_session_token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/datadog/aws.py"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `gcr.io/datadoghq/agent:latest` unpinned: `container/services image: gcr.io/datadoghq/agent:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 96601, "scanner": "repobility-supply-chain", "fingerprint": "73bcf726f32b45b89f87e4ba8cb23bf3c04f7677924a871196acc0cb8d967c82", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|73bcf726f32b45b89f87e4ba8cb23bf3c04f7677924a871196acc0cb8d967c82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-integration-test.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.double_emphasis` used but never assigned in __init__: Method `header` of class `CustomRenderer` reads `self.double_emphasis`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 96596, "scanner": "repobility-ast-engine", "fingerprint": "b10d91a5dad8f2c8a4a6a31af515ceb44ad59aa6ac37ca07935e58a31e6ba898", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b10d91a5dad8f2c8a4a6a31af515ceb44ad59aa6ac37ca07935e58a31e6ba898"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".generator/src/generator/formatter.py"}, "region": {"startLine": 165}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 96591, "scanner": "repobility-threat-engine", "fingerprint": "e68c67893de4af2f0a123e94f4c6865d60920ad6545833770a79929e13f06e8b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e68c67893de4af2f0a123e94f4c6865d60920ad6545833770a79929e13f06e8b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/synthetics/CreateSyntheticsAPITest_1987645492.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 96590, "scanner": "repobility-threat-engine", "fingerprint": "21cdfcc5356832f672eb413287128816de45cdb9f0056e1ef33d6f272e437374", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|21cdfcc5356832f672eb413287128816de45cdb9f0056e1ef33d6f272e437374"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "examples/v1/synthetics/CreateSyntheticsAPITest_1487281163.py"}, "region": {"startLine": 104}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `find_obj` has cognitive complexity 45 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: and=1, elif=6, else=2, if=12, nested_bonus=24."}, "properties": {"repobilityId": 96581, "scanner": "repobility-threat-engine", "fingerprint": "b920052ce4ce2d9337075782612beb4fbe4694d4e477ac3e9b4f57cc286a8a17", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 45 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "find_obj", "breakdown": {"if": 12, "and": 1, "elif": 6, "else": 2, "nested_bonus": 24}, "complexity": 45, "correlation_key": "fp|b920052ce4ce2d9337075782612beb4fbe4694d4e477ac3e9b4f57cc286a8a17"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docs/conf.py"}, "region": {"startLine": 81}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DD_CLIENT_APP_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DD_CLIENT_APP_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96600, "scanner": "repobility-supply-chain", "fingerprint": "e6f7820a081439d085fe554be41986aaa335f95f3ff6df7d341b6b5ce037f108", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e6f7820a081439d085fe554be41986aaa335f95f3ff6df7d341b6b5ce037f108"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-integration-test.yml"}, "region": {"startLine": 124}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DD_CLIENT_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DD_CLIENT_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96599, "scanner": "repobility-supply-chain", "fingerprint": "17ae30e68ad607b0ab77ad7ef3ef52e5eaece2a53e939007b3d16238051ba7b0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|17ae30e68ad607b0ab77ad7ef3ef52e5eaece2a53e939007b3d16238051ba7b0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-integration-test.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DD_API_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DD_API_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 96598, "scanner": "repobility-supply-chain", "fingerprint": "2b561420eb7d124e96f780321ed64ec4b77f992dd71f623d7df8e728d0a96984", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2b561420eb7d124e96f780321ed64ec4b77f992dd71f623d7df8e728d0a96984"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/reusable-integration-test.yml"}, "region": {"startLine": 77}}}]}]}]}