{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "SEC091", "name": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnera", "shortDescription": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "fullDescription": {"text": "Construct `&http.Server{Addr: ..., ReadHeaderTimeout: 5*time.Second, ReadTimeout: 10*time.Second, WriteTimeout: 30*time.Second}`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC112", "name": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/templa", "shortDescription": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "fullDescription": {"text": "Use `html/template` (NOT `text/template`) for HTML responses. Never wrap user input with `template.HTML/JS/URL`."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB005", "name": "robots.txt does not advertise a sitemap", "shortDescription": {"text": "robots.txt does not advertise a sitemap"}, "fullDescription": {"text": "Sitemap directives in robots.txt help crawlers and AI agents find the canonical public URL inventory quickly."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "GHSA-q7pp-wcgr-pffx", "name": "github.com/disintegration/imaging: GHSA-q7pp-wcgr-pffx", "shortDescription": {"text": "github.com/disintegration/imaging: GHSA-q7pp-wcgr-pffx"}, "fullDescription": {"text": "Crash when processing crafted TIFF files"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "low", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR003", "name": "[ERR003] Ignored Error (Go): Ignoring error return values.", "shortDescription": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "fullDescription": {"text": "Handle the error or use errcheck linter."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Duplicated blocks are a common artifact when generated code is pasted or recreated instead of reused. They increase maintenance cost because every future bug fix must be found in multiple locations."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "MINED033", "name": "[MINED033] Go Recover Without Log (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED033] Go Recover Without Log (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED071", "name": "[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.", "shortDescription": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED060", "name": "[MINED060] Go Context No Cancel (and 11 more): Same pattern found in 11 additional files. Review if needed.", "shortDescription": {"text": "[MINED060] Go Context No Cancel (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-401 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED016", "name": "[MINED016] Go Error Ignored (and 9 more): Same pattern found in 9 additional files. Review if needed.", "shortDescription": {"text": "[MINED016] Go Error Ignored (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-754 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5032", "name": "golang.org/x/image: GO-2026-5032", "shortDescription": {"text": "golang.org/x/image: GO-2026-5032"}, "fullDescription": {"text": "Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-5031", "name": "golang.org/x/image: GO-2026-5031", "shortDescription": {"text": "golang.org/x/image: GO-2026-5031"}, "fullDescription": {"text": "Panic when reading out of bound palette index in golang.org/x/image/bmp"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4962", "name": "golang.org/x/image: GO-2026-4962", "shortDescription": {"text": "golang.org/x/image: GO-2026-4962"}, "fullDescription": {"text": "Excessive memory allocation when decoding malicious SFNT in golang.org/x/image"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "GO-2026-4961", "name": "golang.org/x/image: GO-2026-4961", "shortDescription": {"text": "golang.org/x/image: GO-2026-4961"}, "fullDescription": {"text": "Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image"}, "properties": {"scanner": "osv-scanner", "category": "dependency", "severity": "high", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that int", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTM"}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC093", "name": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported", "shortDescription": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "fullDescription": {"text": "Use a constant command name and validate args via a whitelist."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "Action `charmbracelet/meta/.github/workflows/goreleaser.yml` pinned to mutable ref `@main`", "shortDescription": {"text": "Action `charmbracelet/meta/.github/workflows/goreleaser.yml` pinned to mutable ref `@main`"}, "fullDescription": {"text": "`uses: charmbracelet/meta/.github/workflows/goreleaser.yml@main` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "generic-api-key", "name": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.", "shortDescription": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "fullDescription": {"text": "Gitleaks detected a committed secret or credential pattern."}, "properties": {"scanner": "gitleaks", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1316"}, "properties": {"repository": "charmbracelet/crush", "repoUrl": "https://github.com/charmbracelet/crush", "branch": "main"}, "results": [{"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 134350, "scanner": "repobility-threat-engine", "fingerprint": "b2ed5a3a7a9a65021b36d05305e0510943931ca1626aa76bf6de2c69acfaf6f7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.ListenAndServe(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b2ed5a3a7a9a65021b36d05305e0510943931ca1626aa76bf6de2c69acfaf6f7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "main.go"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC091", "level": "warning", "message": {"text": "[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0)."}, "properties": {"repobilityId": 134349, "scanner": "repobility-threat-engine", "fingerprint": "1747b45a36dd7fca84dd59e4aaf6b1296d7aadf0693a866dbecf2a8bc1a50bbf", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "http.Server{\n\t\tProtocols: &p,\n\t\tHandler:   s.recoverHandler(s.loggingHandler(mux)),\n\t}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC091", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|1747b45a36dd7fca84dd59e4aaf6b1296d7aadf0693a866dbecf2a8bc1a50bbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/server.go"}, "region": {"startLine": 183}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 134342, "scanner": "repobility-threat-engine", "fingerprint": "37427b6cf0df43a99c109fe9217258034ac30dda1b3029d7c08bda14f7d25936", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "fmt.Fprintln(b, styles.ApplyForegroundGrad(base, r, o.TitleColorA, o.TitleColorB))\n\t}\n\tcrush = b.Str", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|37427b6cf0df43a99c109fe9217258034ac30dda1b3029d7c08bda14f7d25936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/logo/logo.go"}, "region": {"startLine": 90}}}]}, {"ruleId": "SEC112", "level": "warning", "message": {"text": "[SEC112] Go html/template bypass \u2014 text/template used for HTML output, or template.HTML on user input: Go's `text/template` does no HTML escaping. `template.HTML(x)` marks data as already-safe. Using either with user input = XSS."}, "properties": {"repobilityId": 134341, "scanner": "repobility-threat-engine", "fingerprint": "f6d0581309f1c8e735bd194a77fb10a56ef5458b941885f996db0705d4b0c4a4", "category": "xss", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "template.HTML(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC112", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f6d0581309f1c8e735bd194a77fb10a56ef5458b941885f996db0705d4b0c4a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cmd/stats.go"}, "region": {"startLine": 371}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 134308, "scanner": "repobility-threat-engine", "fingerprint": "5ec1e34a5ddd70d02ae3a3fcd8f48c0e7cc7d68c3c21f52e0d93787895db6c5d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|internal/db/files.sql.go|62|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/db/files.sql.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 134307, "scanner": "repobility-threat-engine", "fingerprint": "b42bf4cb6129334cf128e1e704ed077a064d2b2d3e6d71ebf30defbfef84c86d", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|22|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/db/connect_ncruces.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 134306, "scanner": "repobility-threat-engine", "fingerprint": "b7ede8dd7fd41ea989fb27a43eda29fdad4ddb8072737a9ca771ac24355e5394", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".Exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|251|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/prompt/prompt.go"}, "region": {"startLine": 251}}}]}, {"ruleId": "WEB005", "level": "note", "message": {"text": "robots.txt does not advertise a sitemap"}, "properties": {"repobilityId": 134357, "scanner": "repobility-web-presence", "fingerprint": "a73d1a48320ba000dc245c16ec7c093024c60e28d26a9e2af18b45a20adc9d7b", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Discovered robots file or route lacks a Sitemap directive.", "evidence": {"rule_id": "WEB005", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://www.sitemaps.org/protocol.html"], "correlation_key": "fp|a73d1a48320ba000dc245c16ec7c093024c60e28d26a9e2af18b45a20adc9d7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/testdata/TestCoderAgent/glm-5.1/bash_tool.yaml"}, "region": {"startLine": 1}}}]}, {"ruleId": "GHSA-q7pp-wcgr-pffx", "level": "note", "message": {"text": "github.com/disintegration/imaging: GHSA-q7pp-wcgr-pffx"}, "properties": {"repobilityId": 134352, "scanner": "osv-scanner", "fingerprint": "829e7f8129a1c711c33038fc9be58fb66d78b6c2cb915948786293574bc17ce5", "category": "dependency", "severity": "low", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2023-36308"], "package": "github.com/disintegration/imaging", "rule_id": "GHSA-q7pp-wcgr-pffx", "scanner": "osv-scanner", "correlation_key": "vuln|token|CVE-2023-36308|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 134343, "scanner": "repobility-threat-engine", "fingerprint": "cd7f219950e907d0c29f6876f7c2401c36e87222fc8ba43fa3009d44480ae801", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|internal/cmd/stats/index.js|346|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cmd/stats/index.js"}, "region": {"startLine": 346}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 134329, "scanner": "repobility-threat-engine", "fingerprint": "94e2645363217fee851cffd3116c1cbedab6c3cc15a276ae2639236bcd761cf6", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"<html>\\n<body>\\n\" + body + \"\\n</body>\\n</html>\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|94e2645363217fee851cffd3116c1cbedab6c3cc15a276ae2639236bcd761cf6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/fetch.go"}, "region": {"startLine": 178}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 134324, "scanner": "repobility-threat-engine", "fingerprint": "142dd3a5d1cc4d7987871b07e4747b806c5dafbbf6004533e8ef41c7dbaf74f0", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = fmt.Fprintf(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|142dd3a5d1cc4d7987871b07e4747b806c5dafbbf6004533e8ef41c7dbaf74f0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cmd/login.go"}, "region": {"startLine": 55}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 134323, "scanner": "repobility-threat-engine", "fingerprint": "a882a37c3dd6459d0228bc17dc03fc2d4e947a95a24f2dd11b196da5ecbbb9f8", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = tempFile.Close(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a882a37c3dd6459d0228bc17dc03fc2d4e947a95a24f2dd11b196da5ecbbb9f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/web_fetch.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "ERR003", "level": "note", "message": {"text": "[ERR003] Ignored Error (Go): Ignoring error return values."}, "properties": {"repobilityId": 134322, "scanner": "repobility-threat-engine", "fingerprint": "d194181262b7d2631490e1c6c163b7960cc2cbf0f8607a687738cc90d71ac4b5", "category": "error_handling", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "_ = client.OpenFileOnDemand(", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d194181262b7d2631490e1c6c163b7960cc2cbf0f8607a687738cc90d71ac4b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/diagnostics.go"}, "region": {"startLine": 60}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134301, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f203e57a3566ef5074bd14864d76f7ac24df2bb8a3b1abb5b4f0d0ac2fc98d0f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/app/lsp_events.go", "duplicate_line": 9, "correlation_key": "fp|f203e57a3566ef5074bd14864d76f7ac24df2bb8a3b1abb5b4f0d0ac2fc98d0f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/workspace/workspace.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134300, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b15a14be92aeffa8769c775f0c9407ab5ddc64d5dc28e034713bd75c0fe05786", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/server/events.go", "duplicate_line": 144, "correlation_key": "fp|b15a14be92aeffa8769c775f0c9407ab5ddc64d5dc28e034713bd75c0fe05786"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/workspace/client_workspace.go"}, "region": {"startLine": 736}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134299, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4d6456f9ca7b0dca4190e0af84c6a9458fba76d44308f1d55f4876ff87efb593", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/backend/config.go", "duplicate_line": 221, "correlation_key": "fp|4d6456f9ca7b0dca4190e0af84c6a9458fba76d44308f1d55f4876ff87efb593"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/workspace/client_workspace.go"}, "region": {"startLine": 460}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134298, "scanner": "repobility-ai-code-hygiene", "fingerprint": "60f6b31add22a16e67153ded0b074b2867fdcf2a48560d60e89b8bbd99e02523", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/workspace/app_workspace.go", "duplicate_line": 171, "correlation_key": "fp|60f6b31add22a16e67153ded0b074b2867fdcf2a48560d60e89b8bbd99e02523"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/workspace/client_workspace.go"}, "region": {"startLine": 294}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134297, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d1c358d3e85603c7dd4e0e2d6652f32302106df2212320cb8adfa2a4a8b59ff4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/backend/config.go", "duplicate_line": 221, "correlation_key": "fp|d1c358d3e85603c7dd4e0e2d6652f32302106df2212320cb8adfa2a4a8b59ff4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/workspace/app_workspace.go"}, "region": {"startLine": 251}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134296, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f6fd9f920cf9044f893f711184a7d784476c7fcf290b1562921534aea8037a50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/ui/completions/item.go", "duplicate_line": 121, "correlation_key": "fp|f6fd9f920cf9044f893f711184a7d784476c7fcf290b1562921534aea8037a50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/dialog/sessions_item.go"}, "region": {"startLine": 184}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134295, "scanner": "repobility-ai-code-hygiene", "fingerprint": "194e65244caf501253613229fa02c236ca310079828ef7243ce20bf9279f1eea", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/ui/dialog/common.go", "duplicate_line": 15, "correlation_key": "fp|194e65244caf501253613229fa02c236ca310079828ef7243ce20bf9279f1eea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/dialog/sessions.go"}, "region": {"startLine": 250}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134294, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d44514e6fcd5680f4a86159643bbabc494e6ba660b9687ca90fceb60fb23ddb4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/ui/dialog/notifications.go", "duplicate_line": 31, "correlation_key": "fp|d44514e6fcd5680f4a86159643bbabc494e6ba660b9687ca90fceb60fb23ddb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/dialog/reasoning.go"}, "region": {"startLine": 21}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134293, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90fb355708a3f453d705e08a266c740dee81d8afb3071efc1f13dc3e0a5ee212", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/ui/chat/diagnostics.go", "duplicate_line": 33, "correlation_key": "fp|90fb355708a3f453d705e08a266c740dee81d8afb3071efc1f13dc3e0a5ee212"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/chat/search.go"}, "region": {"startLine": 80}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134292, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ed7730bece9308a10e8a89221a4a3c5dfbd8753630b1020b5844ea82b00f2d50", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/ui/chat/diagnostics.go", "duplicate_line": 33, "correlation_key": "fp|ed7730bece9308a10e8a89221a4a3c5dfbd8753630b1020b5844ea82b00f2d50"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/chat/references.go"}, "region": {"startLine": 33}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134291, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b990ae44c47a7ccd7a68b2bfab5257cee04b906dd7694b0b3171402422300d44", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/ui/chat/generic.go", "duplicate_line": 23, "correlation_key": "fp|b990ae44c47a7ccd7a68b2bfab5257cee04b906dd7694b0b3171402422300d44"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/chat/mcp.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96a57c6a75c9a1bb843f7fecb7c1ebcfd785e56472e8dab423cd8727b9bc0967", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/ui/chat/diagnostics.go", "duplicate_line": 33, "correlation_key": "fp|96a57c6a75c9a1bb843f7fecb7c1ebcfd785e56472e8dab423cd8727b9bc0967"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/chat/lsp_restart.go"}, "region": {"startLine": 32}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bc3f2a04c878b9fb58167219d8f184067aef4ac24c3f49c85de444e9bea1523b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/ui/chat/diagnostics.go", "duplicate_line": 33, "correlation_key": "fp|bc3f2a04c878b9fb58167219d8f184067aef4ac24c3f49c85de444e9bea1523b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/chat/file.go"}, "region": {"startLine": 237}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fc474bfd172903724e9e7eee2deb5cbb1f31ce93088971f148c7bad9405c0ffd", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/proto/mcp.go", "duplicate_line": 107, "correlation_key": "fp|fc474bfd172903724e9e7eee2deb5cbb1f31ce93088971f148c7bad9405c0ffd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/proto/proto.go"}, "region": {"startLine": 162}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a9f0985d152eec0f2ad7c18e01f41c44c6903dc7f9aa7780422386f09901af59", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/proto/agent.go", "duplicate_line": 30, "correlation_key": "fp|a9f0985d152eec0f2ad7c18e01f41c44c6903dc7f9aa7780422386f09901af59"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/proto/proto.go"}, "region": {"startLine": 124}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134286, "scanner": "repobility-ai-code-hygiene", "fingerprint": "727352e19b5966132d28eb270f3b472be7d8058a04c0f956c0af076db4910332", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/permission/permission.go", "duplicate_line": 24, "correlation_key": "fp|727352e19b5966132d28eb270f3b472be7d8058a04c0f956c0af076db4910332"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/proto/permission.go"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134285, "scanner": "repobility-ai-code-hygiene", "fingerprint": "77ed6752297ccbc387bac160aeedeef9cd9518cf5d6949f53b7cad7b71f8f53e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/message/message.go", "duplicate_line": 365, "correlation_key": "fp|77ed6752297ccbc387bac160aeedeef9cd9518cf5d6949f53b7cad7b71f8f53e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/proto/message.go"}, "region": {"startLine": 380}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134284, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c1d5f3ce014d0709b257a242358a95abb7dd8ea5206877bb52968d35581c6861", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/message/content.go", "duplicate_line": 42, "correlation_key": "fp|c1d5f3ce014d0709b257a242358a95abb7dd8ea5206877bb52968d35581c6861"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/proto/message.go"}, "region": {"startLine": 61}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134283, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c7a0aa997b4c4898d37b2fd0dcae9a4d3bdb101db89330ca5783c0a165e0e189", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/proto/agent.go", "duplicate_line": 30, "correlation_key": "fp|c7a0aa997b4c4898d37b2fd0dcae9a4d3bdb101db89330ca5783c0a165e0e189"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/proto/mcp.go"}, "region": {"startLine": 67}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134282, "scanner": "repobility-ai-code-hygiene", "fingerprint": "662e5921f6b9dc50d663126baa645ce0bc76fbf7c3d3f7b8c8486472c4cf7816", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/db/files.sql.go", "duplicate_line": 129, "correlation_key": "fp|662e5921f6b9dc50d663126baa645ce0bc76fbf7c3d3f7b8c8486472c4cf7816"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/db/stats.sql.go"}, "region": {"startLine": 89}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134281, "scanner": "repobility-ai-code-hygiene", "fingerprint": "de0832868d87f6d3688bc3ca04499dfd16887863fccfb1a632ddc98ae75f5320", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/db/files.sql.go", "duplicate_line": 129, "correlation_key": "fp|de0832868d87f6d3688bc3ca04499dfd16887863fccfb1a632ddc98ae75f5320"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/db/sessions.sql.go"}, "region": {"startLine": 148}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134280, "scanner": "repobility-ai-code-hygiene", "fingerprint": "95e4899ee3998d6433e28d4258ff613f99e514af2ff4a04f0c9ab8d0ebb1d250", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/db/files.sql.go", "duplicate_line": 129, "correlation_key": "fp|95e4899ee3998d6433e28d4258ff613f99e514af2ff4a04f0c9ab8d0ebb1d250"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/db/messages.sql.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134279, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c019ff8a0f66f6c8823394dd01030f4c6dea1b18ac586bb1d5a2bfed0c47b2f2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/app/app.go", "duplicate_line": 189, "correlation_key": "fp|c019ff8a0f66f6c8823394dd01030f4c6dea1b18ac586bb1d5a2bfed0c47b2f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cmd/run.go"}, "region": {"startLine": 152}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134278, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6e7750e00d7ccf3062f800e6b27ec9c2a0c7a908e7de83d50fef496c3e926f80", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/cmd/login.go", "duplicate_line": 30, "correlation_key": "fp|6e7750e00d7ccf3062f800e6b27ec9c2a0c7a908e7de83d50fef496c3e926f80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cmd/logout.go"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134277, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3c96fb0563cbef56e1946fe4f1cbf02e5a6c2fe3fc632f62880632901f4e8e8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/agent/tools/edit.go", "duplicate_line": 1, "correlation_key": "fp|c3c96fb0563cbef56e1946fe4f1cbf02e5a6c2fe3fc632f62880632901f4e8e8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/write.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134276, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0dc94211326f5189f10f379d97c9679d11d72e9605239b281d2e8aa50029329b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/agent/tools/edit.go", "duplicate_line": 1, "correlation_key": "fp|0dc94211326f5189f10f379d97c9679d11d72e9605239b281d2e8aa50029329b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/multiedit.go"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 134275, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16e398ecea818c89cc1375f9fa13d98fdc6d45827c8732ebee2bd55b27efb998", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "internal/agent/tools/download.go", "duplicate_line": 95, "correlation_key": "fp|16e398ecea818c89cc1375f9fa13d98fdc6d45827c8732ebee2bd55b27efb998"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/fetch.go"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED033", "level": "none", "message": {"text": "[MINED033] Go Recover Without Log (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 134348, "scanner": "repobility-threat-engine", "fingerprint": "fbb07e72cc11e3b4572ea89c723fe2134675efa8683fd803c2aec97628259c34", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fbb07e72cc11e3b4572ea89c723fe2134675efa8683fd803c2aec97628259c34", "aggregated_count": 1}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 134340, "scanner": "repobility-threat-engine", "fingerprint": "9b3140f1a544f1ef1e4ee1c8fe4f37d0e07d4cf440fa514118050d9d52cbc42e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9b3140f1a544f1ef1e4ee1c8fe4f37d0e07d4cf440fa514118050d9d52cbc42e", "aggregated_count": 4}}}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 134339, "scanner": "repobility-threat-engine", "fingerprint": "1cc36a1ca30d1e0906c499a570d4298289d258f0728f0f70defdcc853e9dac74", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1cc36a1ca30d1e0906c499a570d4298289d258f0728f0f70defdcc853e9dac74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/config/hyper.go"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 134338, "scanner": "repobility-threat-engine", "fingerprint": "dfe7dbcd53882716145f0c67109f7cfe6c1058a7903a2535c8058e36e2b99a80", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dfe7dbcd53882716145f0c67109f7cfe6c1058a7903a2535c8058e36e2b99a80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/config/catwalk.go"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED071", "level": "none", "message": {"text": "[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases."}, "properties": {"repobilityId": 134337, "scanner": "repobility-threat-engine", "fingerprint": "06cf398a7f893677b9cd024cc8feb454d33305dbac5749f11c79997c13ebc9d3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-panic-call", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348067+00:00", "triaged_in_corpus": 12, "observations_count": 29174, "ai_coder_pattern_id": 108}, "scanner": "repobility-threat-engine", "correlation_key": "fp|06cf398a7f893677b9cd024cc8feb454d33305dbac5749f11c79997c13ebc9d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/tools.go"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 134336, "scanner": "repobility-threat-engine", "fingerprint": "462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|462bb8b57887719306ec8a3cf2c050b455aeffaa9cbba6dae0ac34058459ea29"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 134328, "scanner": "repobility-threat-engine", "fingerprint": "f09837a3fd9e5f8992a0c33c8963fe71378ddc491de2f2fee522b5a1c3490603", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f09837a3fd9e5f8992a0c33c8963fe71378ddc491de2f2fee522b5a1c3490603"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/config/provider.go"}, "region": {"startLine": 65}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 134327, "scanner": "repobility-threat-engine", "fingerprint": "449f9de8e9fdf704726554f4721c80824fc4796b635f84b7030cabcdc9f76046", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|449f9de8e9fdf704726554f4721c80824fc4796b635f84b7030cabcdc9f76046"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/fetch.go"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 134326, "scanner": "repobility-threat-engine", "fingerprint": "c0626520d29e09ad9d741b8189a1524c072c5d7187c3dd63eb2e3bbafb40f83f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c0626520d29e09ad9d741b8189a1524c072c5d7187c3dd63eb2e3bbafb40f83f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/download.go"}, "region": {"startLine": 77}}}]}, {"ruleId": "ERR003", "level": "none", "message": {"text": "[ERR003] Ignored Error (Go) (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 134325, "scanner": "repobility-threat-engine", "fingerprint": "961c778412e7fbd86f6ba4183e5033c7cb9f706769045bc54758aaab521578b2", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR003", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|961c778412e7fbd86f6ba4183e5033c7cb9f706769045bc54758aaab521578b2"}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel (and 11 more): Same pattern found in 11 additional files. Review if needed."}, "properties": {"repobilityId": 134321, "scanner": "repobility-threat-engine", "fingerprint": "652382fb9cb516533a673dc525a9ab5c0388624ab2c95b7d6682e1f8e5b7c65f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 11 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|652382fb9cb516533a673dc525a9ab5c0388624ab2c95b7d6682e1f8e5b7c65f", "aggregated_count": 11}}}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 134320, "scanner": "repobility-threat-engine", "fingerprint": "218160f2be2f0007cd39aeacb445c89acb2bca93bce4fc70ff78933330a0045c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|218160f2be2f0007cd39aeacb445c89acb2bca93bce4fc70ff78933330a0045c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/backend/testing.go"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 134319, "scanner": "repobility-threat-engine", "fingerprint": "fe771a5fe87e01a7c86c8abf1547697874420c2e78cf2673f188ec5e55275afd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fe771a5fe87e01a7c86c8abf1547697874420c2e78cf2673f188ec5e55275afd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/app/testing.go"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED060", "level": "none", "message": {"text": "[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines."}, "properties": {"repobilityId": 134318, "scanner": "repobility-threat-engine", "fingerprint": "40f737438acb4f24148bc737efc4b1b8b474a735aeceefb2aaa7d049abc6e8f4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-context-no-cancel", "owasp": null, "cwe_ids": ["CWE-401"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348041+00:00", "triaged_in_corpus": 12, "observations_count": 132905, "ai_coder_pattern_id": 110}, "scanner": "repobility-threat-engine", "correlation_key": "fp|40f737438acb4f24148bc737efc4b1b8b474a735aeceefb2aaa7d049abc6e8f4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/prompts.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED016", "level": "none", "message": {"text": "[MINED016] Go Error Ignored (and 9 more): Same pattern found in 9 additional files. Review if needed."}, "properties": {"repobilityId": 134317, "scanner": "repobility-threat-engine", "fingerprint": "8f1fa769b3579a7ecc2409e0b1cb6081f6c86e7fa2df76427646ad8b5b9240d3", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 9 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|8f1fa769b3579a7ecc2409e0b1cb6081f6c86e7fa2df76427646ad8b5b9240d3", "aggregated_count": 9}}}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 134313, "scanner": "repobility-threat-engine", "fingerprint": "f79b4c6ce4eb0d7d776ad2633f739e1a0f46e1ad817ef3a9572abdaf1937f71a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f79b4c6ce4eb0d7d776ad2633f739e1a0f46e1ad817ef3a9572abdaf1937f71a"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 134309, "scanner": "repobility-threat-engine", "fingerprint": "f50747163d70dab1fa2519c9a96d374fa64771763e354f97facd6a46500faf29", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|f50747163d70dab1fa2519c9a96d374fa64771763e354f97facd6a46500faf29"}}}, {"ruleId": "GO-2026-5032", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-5032"}, "properties": {"repobilityId": 134356, "scanner": "osv-scanner", "fingerprint": "0c775caf0e9b5d80077a020cff5c96d5cd6efbd3197e928f8b8fa1f0cd633b68", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-46599"], "package": "golang.org/x/image", "rule_id": "GO-2026-5032", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-46599|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-5031", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-5031"}, "properties": {"repobilityId": 134355, "scanner": "osv-scanner", "fingerprint": "b66bc87e9087f2fbb63a1b7be38f59ce4d0fef8e698ea3827a99ca094a92efc9", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-42500"], "package": "golang.org/x/image", "rule_id": "GO-2026-5031", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-42500|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4962", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-4962"}, "properties": {"repobilityId": 134354, "scanner": "osv-scanner", "fingerprint": "822a57faa7f99ac28d4d56ee8f6c7af481eba4c6694557077d2ca65f76e6dd30", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33812"], "package": "golang.org/x/image", "rule_id": "GO-2026-4962", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-33812|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "GO-2026-4961", "level": "error", "message": {"text": "golang.org/x/image: GO-2026-4961"}, "properties": {"repobilityId": 134353, "scanner": "osv-scanner", "fingerprint": "35ac65516859eec35f3a8eef22bf9aa01a062e3d500fc70abb39277c8b12a609", "category": "dependency", "severity": "high", "confidence": 0.88, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "", "aliases": ["CVE-2026-33813"], "package": "golang.org/x/image", "rule_id": "GO-2026-4961", "scanner": "osv-scanner", "correlation_key": "vuln|golang.org/x/image|CVE-2026-33813|go.mod"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "go.mod"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 134347, "scanner": "repobility-threat-engine", "fingerprint": "4af9533d2a51ace413a09a83635f1e9474a2e3d0c2b478e697fd3a614c638208", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4af9533d2a51ace413a09a83635f1e9474a2e3d0c2b478e697fd3a614c638208"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/shell/run.go"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 134346, "scanner": "repobility-threat-engine", "fingerprint": "96f287443afa95e90f33c602edb7dc467f13b3e2050ceaf171e91b50e2ce0491", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|96f287443afa95e90f33c602edb7dc467f13b3e2050ceaf171e91b50e2ce0491"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/server/recover.go"}, "region": {"startLine": 18}}}]}, {"ruleId": "MINED033", "level": "error", "message": {"text": "[MINED033] Go Recover Without Log: defer func() { recover() }() that silently swallows panic."}, "properties": {"repobilityId": 134345, "scanner": "repobility-threat-engine", "fingerprint": "3cabb68b8d41d5376df60c7ba9081cf58243e86b89c646d0eb5f479ed7fc211d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-recover-without-log", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347975+00:00", "triaged_in_corpus": 15, "observations_count": 3808, "ai_coder_pattern_id": 109}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3cabb68b8d41d5376df60c7ba9081cf58243e86b89c646d0eb5f479ed7fc211d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/log/log.go"}, "region": {"startLine": 67}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 134344, "scanner": "repobility-threat-engine", "fingerprint": "a91babd652be9b856beadf8094baa38fb80ed53759603a82b13d78818a15dbfc", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `<td>${d.day}</td><td>${d.session_count}</td><td>${formatNumber(\n      d.prompt_tokens,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a91babd652be9b856beadf8094baa38fb80ed53759603a82b13d78818a15dbfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cmd/stats/index.js"}, "region": {"startLine": 346}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 134335, "scanner": "repobility-threat-engine", "fingerprint": "b1c19f7156d1e2b66c81f9172ff6d575e2364c5d4dac2bed7aa1b6944d3ca9cb", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(r", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b1c19f7156d1e2b66c81f9172ff6d575e2364c5d4dac2bed7aa1b6944d3ca9cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/cmd/login.go"}, "region": {"startLine": 112}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 134334, "scanner": "repobility-threat-engine", "fingerprint": "179562fadc36762283b56d7d9b6a113015cd82f9581cb92329343bb3d8ef7e75", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(s", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|179562fadc36762283b56d7d9b6a113015cd82f9581cb92329343bb3d8ef7e75"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/client/client.go"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 134333, "scanner": "repobility-threat-engine", "fingerprint": "f0861d6f22c82b870b6b51d4fb2874dee0e9d18f6207a1da63ce69a1bbb902db", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(a", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f0861d6f22c82b870b6b51d4fb2874dee0e9d18f6207a1da63ce69a1bbb902db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/search.go"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 134332, "scanner": "repobility-threat-engine", "fingerprint": "353f68ce8b0f46f564c3fda5727e55005f860c799b4f9ab6f34d84899a3e7096", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|353f68ce8b0f46f564c3fda5727e55005f860c799b4f9ab6f34d84899a3e7096"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/ui/util/util.go"}, "region": {"startLine": 94}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 134331, "scanner": "repobility-threat-engine", "fingerprint": "5ffc13920a8a233908af56059d24b39120f83a4979701b4a3637ecbbeca8f5bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5ffc13920a8a233908af56059d24b39120f83a4979701b4a3637ecbbeca8f5bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/config/docker_mcp.go"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC093", "level": "error", "message": {"text": "[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) \u2014 variable command name allows command injection. Ported from gosec G204 (Apache-2.0)."}, "properties": {"repobilityId": 134330, "scanner": "repobility-threat-engine", "fingerprint": "65c24fbfa9142a5aea6f7936e304b7f7740474d55e166fb8c3285601c752c4b4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec.CommandContext(ctx,", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC093", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|65c24fbfa9142a5aea6f7936e304b7f7740474d55e166fb8c3285601c752c4b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/rg.go"}, "region": {"startLine": 41}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 134316, "scanner": "repobility-threat-engine", "fingerprint": "5213330f5cf5aa3fac9ff11c859b752dc5a4555aac1b5fa430afecc75d40a8f1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5213330f5cf5aa3fac9ff11c859b752dc5a4555aac1b5fa430afecc75d40a8f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/tools.go"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 134315, "scanner": "repobility-threat-engine", "fingerprint": "1a0cfb85b87b6d2af4c36f9b6093c934d912b72851966a17b4b025219030daf1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1a0cfb85b87b6d2af4c36f9b6093c934d912b72851966a17b4b025219030daf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/tools/sourcegraph.go"}, "region": {"startLine": 162}}}]}, {"ruleId": "MINED016", "level": "error", "message": {"text": "[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern."}, "properties": {"repobilityId": 134314, "scanner": "repobility-threat-engine", "fingerprint": "2def20ce1943a8670a9c15fe12b391bba2f5dd3d1ddb898c1e776c1b7281428c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "go-error-ignored", "owasp": null, "cwe_ids": ["CWE-754"], "languages": ["go"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347935+00:00", "triaged_in_corpus": 15, "observations_count": 83036, "ai_coder_pattern_id": 107}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2def20ce1943a8670a9c15fe12b391bba2f5dd3d1ddb898c1e776c1b7281428c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/prompt/prompt.go"}, "region": {"startLine": 227}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 134312, "scanner": "repobility-threat-engine", "fingerprint": "c9e2bd76c76f94cded936d92e83d5fae7459d16f2e02085318667d7c38491ee6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c9e2bd76c76f94cded936d92e83d5fae7459d16f2e02085318667d7c38491ee6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/db/files.sql.go"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 134311, "scanner": "repobility-threat-engine", "fingerprint": "eb0db8856f988a288dd7b615b4cfed8a70f08847f9512b0b4fd77be165a5fb36", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(fmt", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|eb0db8856f988a288dd7b615b4cfed8a70f08847f9512b0b4fd77be165a5fb36"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/db/connect_ncruces.go"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 134310, "scanner": "repobility-threat-engine", "fingerprint": "21691597a9c6ce4676f1090c85c831245bbb9be4635d27a5a59646a5c22ae119", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Exec(ctx", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|21691597a9c6ce4676f1090c85c831245bbb9be4635d27a5a59646a5c22ae119"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/agent/prompt/prompt.go"}, "region": {"startLine": 251}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `charmbracelet/meta/.github/workflows/goreleaser.yml` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 134305, "scanner": "repobility-supply-chain", "fingerprint": "b32d7992557f90d5e0513395e1c37b641d986abcf25b92ad2b4205d2de18e165", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b32d7992557f90d5e0513395e1c37b641d986abcf25b92ad2b4205d2de18e165"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/release.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `charmbracelet/meta/.github/workflows/nightly.yml` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 134304, "scanner": "repobility-supply-chain", "fingerprint": "a4a366471a7a847edf72d535a02cab1fed4a986ca56b08f5bd910b82a12fe634", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a4a366471a7a847edf72d535a02cab1fed4a986ca56b08f5bd910b82a12fe634"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nightly.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `charmbracelet/meta/.github/workflows/lint-sync.yml` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 134303, "scanner": "repobility-supply-chain", "fingerprint": "5019b12b0d73f166ec90e997455a7a0ed4d594dbbd0115db1e0dd0110e162b9a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5019b12b0d73f166ec90e997455a7a0ed4d594dbbd0115db1e0dd0110e162b9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint-sync.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `charmbracelet/meta/.github/workflows/lint.yml` pinned to mutable ref `@main`"}, "properties": {"repobilityId": 134302, "scanner": "repobility-supply-chain", "fingerprint": "e3caabe1f9f35561a310c74298bd6c33e278f14bc9f07d6abc9557c44d0d297b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e3caabe1f9f35561a310c74298bd6c33e278f14bc9f07d6abc9557c44d0d297b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/lint.yml"}, "region": {"startLine": 9}}}]}, {"ruleId": "generic-api-key", "level": "error", "message": {"text": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."}, "properties": {"repobilityId": 134351, "scanner": "gitleaks", "fingerprint": "79042a14c33e0ed604a2cd01d2ec064179e8a89c3138eaa00a14da6e08bfabfc", "category": "credential_exposure", "severity": "critical", "confidence": 0.95, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"match": "key      = \"REDACTED\"", "rule_id": "generic-api-key", "scanner": "gitleaks", "detector": "generic-api-key", "correlation_key": "secret|internal/event/event.go|1|key redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "internal/event/event.go"}, "region": {"startLine": 18}}}]}]}]}