{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED109", "name": "[MINED109] Mutable default argument in `segment` (set): `def segment(... = []/{}/set())` \u2014 Python's default value is con", "shortDescription": {"text": "[MINED109] Mutable default argument in `segment` (set): `def segment(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every futu"}, "fullDescription": {"text": "Use None as the default and create the collection inside the function: `def segment(x=None): x = x or []`"}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED111", "name": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or ", "shortDescription": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "fullDescription": {"text": "Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `tgs` image uses the latest tag", "shortDescription": {"text": "Compose service `tgs` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC014", "name": "Database data bind mount is inside the Docker build context", "shortDescription": {"text": "Database data bind mount is inside the Docker build context"}, "fullDescription": {"text": "Prefer a named volume or a host path outside the build context. If a repo-local path is required, add it to .dockerignore and .gitignore and verify backups separately."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR002", "name": "Compose service `mariadb` image has no explicit tag", "shortDescription": {"text": "Compose service `mariadb` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR014", "name": "Dockerfile copies broad context with incomplete .dockerignore", "shortDescription": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "fullDescription": {"text": "Tighten .dockerignore or replace COPY . with explicit COPY statements."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.76, "cwe": "", "owasp": ""}}, {"id": "DKR015", "name": "Docker build context is very large", "shortDescription": {"text": "Docker build context is very large"}, "fullDescription": {"text": "Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC127", "name": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedEr", "shortDescription": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or "}, "fullDescription": {"text": "Either implement the body, or fail closed at module-load time so the deploy can't ship a half-built route. A CI gate that fails build on `raise NotImplementedError` in non-abstract code catches this cleanly."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC042", "name": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently s", "shortDescription": {"text": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odoo), but a future contributor can extend t"}, "fullDescription": {"text": "Use psycopg2.sql.SQL() + sql.Identifier() for identifiers:\n  from psycopg2 import sql\n  cr.execute(sql.SQL('UPDATE {} SET x=%s').format(sql.Identifier(table)), (value,))\nNever use f-string in cr.execute(). Values go through %s parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC001", "name": "[SEC001] Hardcoded Password: Hardcoded password found in source code.", "shortDescription": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "fullDescription": {"text": "Use environment variables or a secrets manager."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC007", "name": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.", "shortDescription": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "fullDescription": {"text": "Use yaml.safe_load() instead of yaml.load(). Avoid pickle for untrusted data."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKR012", "name": "Dockerfile keeps pip download cache", "shortDescription": {"text": "Dockerfile keeps pip download cache"}, "fullDescription": {"text": "Use `pip install --no-cache-dir ...` in container builds."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR011", "name": "Dockerfile installs recommended OS packages", "shortDescription": {"text": "Dockerfile installs recommended OS packages"}, "fullDescription": {"text": "Add `--no-install-recommends` and explicitly list only packages the image needs."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "DKR010", "name": "Dockerfile leaves apt package indexes in the image layer", "shortDescription": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "fullDescription": {"text": "End the apt install layer with `rm -rf /var/lib/apt/lists/*`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC124", "name": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacke", "shortDescription": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "fullDescription": {"text": "Use `os.open(path, os.O_CREAT | os.O_EXCL | os.O_WRONLY)` for atomic create-only. Use `tempfile.NamedTemporaryFile()` (not `mktemp`). For locking, use `fcntl.flock`."}, "properties": {"scanner": "repobility-threat-engine", "category": "race_condition", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC132", "name": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the la", "shortDescription": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on it"}, "fullDescription": {"text": "Python: `f\"prefix {var} suffix\"`. JS/TS: `` `prefix ${var} suffix` ``. Add a lint rule (pyupgrade UP032, eslint prefer-template) so future PRs catch this automatically."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "COMP001", "name": "[COMP001] High cognitive complexity: Function `parse_role` has cognitive complexity 9 (SonarSource scale). Cognitive com", "shortDescription": {"text": "[COMP001] High cognitive complexity: Function `parse_role` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all"}, "fullDescription": {"text": "Extract nested branches into named helper functions; flatten early-return / guard clauses; replace long if/elif chains with dispatch dicts or polymorphism. SonarQube's threshold for 'should refactor' is 15 \u2014 yours is 9."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "low", "confidence": 0.95, "cwe": "", "owasp": ""}}, {"id": "MINED051", "name": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong.", "shortDescription": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED063", "name": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use.", "shortDescription": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-367 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED064", "name": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.", "shortDescription": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "fullDescription": {"text": "Review and fix per the pattern semantics."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED072", "name": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in.", "shortDescription": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC005", "name": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.", "shortDescription": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "fullDescription": {"text": "Use subprocess with shell=False and a list of args. Never eval user input."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED067", "name": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.", "shortDescription": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-400 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED050", "name": "[MINED050] Stub Only Function (and 5 more): Same pattern found in 5 additional files. Review if needed.", "shortDescription": {"text": "[MINED050] Stub Only Function (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1188 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED001", "name": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 10 more): Same pattern found in 10 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 74 more): Same pattern found in 74 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC118", "name": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it", "shortDescription": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "fullDescription": {"text": "Use `uuid.uuid4()` (random) or `secrets.token_urlsafe()` for tokens. In Go, use `uuid.NewRandom()` (google/uuid)."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 13 more): Same pattern found in 13 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional fil", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 25 more): Same pattern found in 25 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 addit", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC004", "name": "[SEC004] SQL Injection Risk (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC004] SQL Injection Risk (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use parameterized queries: cursor.execute('SELECT * FROM t WHERE id = %s', [id]). For dynamic table or column names, choose identifiers from a hard-coded allowlist and keep values in parameters."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED134", "name": "[MINED134] Binary file `tools/dmifonts/DmiFonts.exe` committed in source repo: `tools/dmifonts/DmiFonts.exe` is a .exe b", "shortDescription": {"text": "[MINED134] Binary file `tools/dmifonts/DmiFonts.exe` committed in source repo: `tools/dmifonts/DmiFonts.exe` is a .exe binary (27,648 bytes) committed to a repo that otherwise has 1247 source files. Trojan binaries inside otherwise-normal s"}, "fullDescription": {"text": "Audit the binary's provenance. If it's vendored library code, document it in a VENDORED.md. If it's a build artifact, add the extension to .gitignore and rebuild from source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED126", "name": "[MINED126] Workflow container/services image `tgstation/server` unpinned: `container/services image: tgstation/server` w", "shortDescription": {"text": "[MINED126] Workflow container/services image `tgstation/server` unpinned: `container/services image: tgstation/server` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-"}, "fullDescription": {"text": "Replace with `tgstation/server@sha256:<digest>`. Re-pin via Dependabot Docker scope."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at work", "shortDescription": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise"}, "fullDescription": {"text": "Replace with: `uses: actions/github-script@<40-char-sha>  # v9` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `debian:bullseye-slim` not pinned by digest: `FROM debian:bullseye-slim` resolves the tag at ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `debian:bullseye-slim` not pinned by digest: `FROM debian:bullseye-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Produc"}, "fullDescription": {"text": "Replace with: `FROM debian:bullseye-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED108", "name": "[MINED108] `self.raise_error` used but never assigned in __init__: Method `parse_pop` of class `DMMParser` reads `self.r", "shortDescription": {"text": "[MINED108] `self.raise_error` used but never assigned in __init__: Method `parse_pop` of class `DMMParser` reads `self.raise_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the fi"}, "fullDescription": {"text": "Initialize `self.raise_error = <default>` in __init__, or add a class-level default."}, "properties": {"scanner": "repobility-ast-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "DKR006", "name": "Dockerfile pipes a remote script into a shell", "shortDescription": {"text": "Dockerfile pipes a remote script into a shell"}, "fullDescription": {"text": "Download the artifact, verify its checksum or signature, pin the version, and then execute it."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "MINED006", "name": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working.", "shortDescription": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-705 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED034", "name": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.", "shortDescription": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-78 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC078", "name": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsiv", "shortDescription": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a re"}, "fullDescription": {"text": "Add `timeout=10` (or appropriate value) to every requests call."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC114", "name": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker", "shortDescription": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "fullDescription": {"text": "After joining, re-check containment: `if !strings.HasPrefix(filepath.Clean(joined), filepath.Clean(baseDir)+string(os.PathSeparator)) { error }`. In Node: `path.resolve(base, x); if (!resolved.startsWith(base + path.sep)) throw`."}, "properties": {"scanner": "repobility-threat-engine", "category": "path_traversal", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED012", "name": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code.", "shortDescription": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-494 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. ", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported fr", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC103", "name": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inje", "shortDescription": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "fullDescription": {"text": "Escape with javax.naming.ldap.Rdn.escapeValue or equivalent. For python-ldap, use ldap.filter.escape_filter_chars. Better: use parameterized search APIs (Spring LdapTemplate filter encoders)."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.DISCORD_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.DISCORD_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DISCORD_WEBHOOK }` lets a PR from any fork exfiltrate the se"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.96, "cwe": "", "owasp": ""}}, {"id": "MINED030", "name": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.", "shortDescription": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC081", "name": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary co", "shortDescription": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "fullDescription": {"text": "Use json, msgpack, or protobuf for untrusted data. If pickle is required, sign the payload with HMAC."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED102", "name": "[MINED102] Shell Injection Via F-string: Shell command built via f-string or .format with non-constant input \u2014 command i", "shortDescription": {"text": "[MINED102] Shell Injection Via F-string: Shell command built via f-string or .format with non-constant input \u2014 command injection. An attacker controlling any interpolated value can execute arbitrary shell commands."}, "fullDescription": {"text": "Use the list form of subprocess (e.g. subprocess.run([\"cmd\", arg1, arg2])) with shell=False. Never combine shell=True with string interpolation."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED018", "name": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/fi", "shortDescription": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-502 / A08:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC116", "name": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrar", "shortDescription": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "fullDescription": {"text": "Use `YAML.safe_load(input, permitted_classes: [Date])` \u2014 explicit class allowlist. Never use `Marshal.load` on untrusted data; serialize as JSON instead."}, "properties": {"scanner": "repobility-threat-engine", "category": "deserialization", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC079", "name": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python obje", "shortDescription": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "fullDescription": {"text": "Use `yaml.safe_load(data)` or `yaml.load(data, Loader=yaml.SafeLoader)`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED007", "name": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection.", "shortDescription": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-89 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1395"}, "properties": {"repository": "NovaSector/NovaSector", "repoUrl": "https://github.com/NovaSector/NovaSector", "branch": "master"}, "results": [{"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `segment` (set): `def segment(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 143373, "scanner": "repobility-ast-engine", "fingerprint": "00b6f7a4a5c0f1824cc20d65ad2a9a693c60bc286c2d6fbc740688e60cbd3b12", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|00b6f7a4a5c0f1824cc20d65ad2a9a693c60bc286c2d6fbc740688e60cbd3b12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/midi2piano/MidiDependencies/midi.py"}, "region": {"startLine": 542}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `timeshift` (set): `def timeshift(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 143372, "scanner": "repobility-ast-engine", "fingerprint": "b542d268a02b233937f98a7d475eb15d11791fcf8988318b9b304bbdc722a2db", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b542d268a02b233937f98a7d475eb15d11791fcf8988318b9b304bbdc722a2db"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/midi2piano/MidiDependencies/midi.py"}, "region": {"startLine": 453}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `opus2score` (list): `def opus2score(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 143371, "scanner": "repobility-ast-engine", "fingerprint": "b4fdc6659e6a75e83487928dcb89d7e0461d84afffd0c4b858ec67527fe2242a", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b4fdc6659e6a75e83487928dcb89d7e0461d84afffd0c4b858ec67527fe2242a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/midi2piano/MidiDependencies/midi.py"}, "region": {"startLine": 306}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `opus2midi` (list): `def opus2midi(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 143370, "scanner": "repobility-ast-engine", "fingerprint": "eeb26b32d6fcc9da1411012c4b943ca5113bedee327ed37ba62d96c984191cee", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|eeb26b32d6fcc9da1411012c4b943ca5113bedee327ed37ba62d96c984191cee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/midi2piano/MidiDependencies/midi.py"}, "region": {"startLine": 150}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 143369, "scanner": "repobility-ast-engine", "fingerprint": "7254553bb2c8543c14da874522d824a84065a6ffadde9b50964620bf73b7f3fe", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7254553bb2c8543c14da874522d824a84065a6ffadde9b50964620bf73b7f3fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/lint.py"}, "region": {"startLine": 133}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `__init__` (dict): `def __init__(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 143368, "scanner": "repobility-ast-engine", "fingerprint": "b9ec18354e9718d8b5ecdcb47c8afa23b712f8587b6acff88846c4df98408fda", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b9ec18354e9718d8b5ecdcb47c8afa23b712f8587b6acff88846c4df98408fda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/lint.py"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 143358, "scanner": "repobility-ast-engine", "fingerprint": "7b830dca853295274c082698780c6677151960b738fb0a715525b905f92dc366", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|7b830dca853295274c082698780c6677151960b738fb0a715525b905f92dc366"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/__main__.py"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 143357, "scanner": "repobility-ast-engine", "fingerprint": "e3a1711f67555e8d1a2e03e5eb0a4d1f4b49f9156da40aab59995babbf7dad39", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e3a1711f67555e8d1a2e03e5eb0a4d1f4b49f9156da40aab59995babbf7dad39"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/__main__.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 143356, "scanner": "repobility-ast-engine", "fingerprint": "4167dcfd2b0da74b2e6ffc5d7b364e556570e17c9e24b7a27bc96b8f6364bf56", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4167dcfd2b0da74b2e6ffc5d7b364e556570e17c9e24b7a27bc96b8f6364bf56"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/__main__.py"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED109", "level": "warning", "message": {"text": "[MINED109] Mutable default argument in `text_to_speech_handler` (list): `def text_to_speech_handler(... = []/{}/set())` \u2014 Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it in one call mutates it for every future call too."}, "properties": {"repobilityId": 143355, "scanner": "repobility-ast-engine", "fingerprint": "d207facf9c360bcfc8a790f05ffad6ac08bbb4fa4f62233c8550895c4f35a33b", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "mutable-default-arg", "owasp": null, "cwe_ids": ["CWE-1023"], "languages": ["python"], "observations_count": 64867}, "scanner": "repobility-ast-engine", "correlation_key": "fp|d207facf9c360bcfc8a790f05ffad6ac08bbb4fa4f62233c8550895c4f35a33b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts-api/tts-api.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 143354, "scanner": "repobility-ast-engine", "fingerprint": "028a5392f754840f56347773b2d5b6472befc20b5ecd7e01d1c8e8d08fa7f458", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|028a5392f754840f56347773b2d5b6472befc20b5ecd7e01d1c8e8d08fa7f458"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/minibot/nudge.py"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 143353, "scanner": "repobility-ast-engine", "fingerprint": "e2fcdba06407b5b3b6871c2f80e498dd07f5b5a20af92ff7c6f8ae83fb9bb117", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|e2fcdba06407b5b3b6871c2f80e498dd07f5b5a20af92ff7c6f8ae83fb9bb117"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/CatchUnescapedBrackets/__main__.py"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 143348, "scanner": "repobility-ast-engine", "fingerprint": "969697395215c687f8bdc2bfc0352d512657227ce4ceb095665c50556b3a798e", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|969697395215c687f8bdc2bfc0352d512657227ce4ceb095665c50556b3a798e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/HitboxExpander/__main__.py"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 143347, "scanner": "repobility-ast-engine", "fingerprint": "0ea04a6351adc5e4381025febc3634760b44a05290a31696a6fa45c7c3bfb4a5", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|0ea04a6351adc5e4381025febc3634760b44a05290a31696a6fa45c7c3bfb4a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/midi2piano/midi2piano.py"}, "region": {"startLine": 129}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 143337, "scanner": "repobility-ast-engine", "fingerprint": "a9bd8f3294c057767ebe777781686d31e074cf2f3309ea5665135390d75f22a6", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|a9bd8f3294c057767ebe777781686d31e074cf2f3309ea5665135390d75f22a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/frontend.py"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED111", "level": "warning", "message": {"text": "[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose."}, "properties": {"repobilityId": 143336, "scanner": "repobility-ast-engine", "fingerprint": "b3946d9fd0d142c560cc8fbd7bf1341c1948225784b7280f53ee1f243ab9921c", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "bare-except-without-pass", "owasp": null, "cwe_ids": [], "languages": ["python"], "observations_count": 21610}, "scanner": "repobility-ast-engine", "correlation_key": "fp|b3946d9fd0d142c560cc8fbd7bf1341c1948225784b7280f53ee1f243ab9921c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/silo_grapher/silo_graph_script.py"}, "region": {"startLine": 83}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `tgs` image uses the latest tag"}, "properties": {"repobilityId": 143321, "scanner": "repobility-docker", "fingerprint": "6088c9f5056b634d8351e7bde21e69e8c6c7ebc4f7c32b207fd839d089bcf391", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "tgstation/server:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6088c9f5056b634d8351e7bde21e69e8c6c7ebc4f7c32b207fd839d089bcf391"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 143320, "scanner": "repobility-docker", "fingerprint": "c398591c16dbeb1d5a685f80e9fd0829639ca4999936645804d5f6e0c7b1d650", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|c398591c16dbeb1d5a685f80e9fd0829639ca4999936645804d5f6e0c7b1d650"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC014", "level": "warning", "message": {"text": "Database data bind mount is inside the Docker build context"}, "properties": {"repobilityId": 143319, "scanner": "repobility-docker", "fingerprint": "f4d53e2317dffcfeaccd9cf86c766a5707f327a415e3294cc40054a3f12c8aa6", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database data directory is mounted from a relative path that is not excluded by .dockerignore.", "evidence": {"source": "./Database", "target": "/var/lib/mysql", "rule_id": "DKC014", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/engine/storage/volumes/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|f4d53e2317dffcfeaccd9cf86c766a5707f327a415e3294cc40054a3f12c8aa6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `mariadb` image has no explicit tag"}, "properties": {"repobilityId": 143316, "scanner": "repobility-docker", "fingerprint": "69adce3baea61aefa9a951fe5172794a0f861d4f41d3195d5f042b5cce690dc6", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mariadb", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|69adce3baea61aefa9a951fe5172794a0f861d4f41d3195d5f042b5cce690dc6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `adminer` image has no explicit tag"}, "properties": {"repobilityId": 143312, "scanner": "repobility-docker", "fingerprint": "024630da930bce397ecc99e463d31bed0c7534507188c79a836e6518edaab1a2", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "wodby/adminer", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|024630da930bce397ecc99e463d31bed0c7534507188c79a836e6518edaab1a2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 143311, "scanner": "repobility-docker", "fingerprint": "67412b50689165c2a8f07b1a1caa0bc4e1d80c1a28099024ac3f17f4467f0e1e", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|67412b50689165c2a8f07b1a1caa0bc4e1d80c1a28099024ac3f17f4467f0e1e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `db` image has no explicit tag"}, "properties": {"repobilityId": 143309, "scanner": "repobility-docker", "fingerprint": "d1d9cc031a72e0112f17ab018eaaa85ee2d9b377ea0b21f501f94d5d41b5c00a", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "mariadb", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|d1d9cc031a72e0112f17ab018eaaa85ee2d9b377ea0b21f501f94d5d41b5c00a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `dreammaker` image uses the latest tag"}, "properties": {"repobilityId": 143305, "scanner": "repobility-docker", "fingerprint": "3615f1fef974fb118158ce5b2c110fd32a96578648620a2bdd18bc0ca415beb2", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "tgstation:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|3615f1fef974fb118158ce5b2c110fd32a96578648620a2bdd18bc0ca415beb2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 143304, "scanner": "repobility-docker", "fingerprint": "a4b945978dc1747b38dd853183fd32fa749c3aaf32ee4c2eb8a6c8c2559f7bc3", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bullseye-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a4b945978dc1747b38dd853183fd32fa749c3aaf32ee4c2eb8a6c8c2559f7bc3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts-api/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 143303, "scanner": "repobility-docker", "fingerprint": "1b1c0ebb3b36d23f0ec21a5273c763c2a45cade24dfca5e287667b80ad685bfd", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|1b1c0ebb3b36d23f0ec21a5273c763c2a45cade24dfca5e287667b80ad685bfd", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts-api/Dockerfile"}, "region": {"startLine": 31}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 143300, "scanner": "repobility-docker", "fingerprint": "900e2897fa6e63886360dfa7be97b4ae9cdaf4df0e160361bd69f637b6d990ea", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "debian:bullseye-slim", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|900e2897fa6e63886360dfa7be97b4ae9cdaf4df0e160361bd69f637b6d990ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 143299, "scanner": "repobility-docker", "fingerprint": "996644d3fd37bba7eb0d8f38e3fa67a5e2a18665238f654e3664f304e8d5862c", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|996644d3fd37bba7eb0d8f38e3fa67a5e2a18665238f654e3664f304e8d5862c", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts/Dockerfile"}, "region": {"startLine": 33}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 143295, "scanner": "repobility-docker", "fingerprint": "f9d530db1c02bd0537f50d840174d09e441c8a3fbc53d995c30da0134b899b51", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "byond", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f9d530db1c02bd0537f50d840174d09e441c8a3fbc53d995c30da0134b899b51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 74}}}]}, {"ruleId": "DKR014", "level": "warning", "message": {"text": "Dockerfile copies broad context with incomplete .dockerignore"}, "properties": {"repobilityId": 143293, "scanner": "repobility-docker", "fingerprint": "ec1bf593bbe47d0875b4e97e4bc89356e5da04b5016dcdaf4a4d0eafbff67398", "category": "docker", "severity": "medium", "confidence": 0.76, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Broad context copy found and .dockerignore misses sensitive defaults.", "evidence": {"rule_id": "DKR014", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|ec1bf593bbe47d0875b4e97e4bc89356e5da04b5016dcdaf4a4d0eafbff67398", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 42}}}]}, {"ruleId": "DKR015", "level": "warning", "message": {"text": "Docker build context is very large"}, "properties": {"repobilityId": 143291, "scanner": "repobility-docker", "fingerprint": "b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Estimated Docker build context exceeds Repobility's size or file-count threshold.", "evidence": {"capped": false, "rule_id": "DKR015", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "largest_paths": [{"path": "icons/hud/screen_full.dmi", "size_mb": 6.4}, {"path": "icons/effects/station_explosion.dmi", "size_mb": 4.9}, {"path": "_maps/map_files/NebulaStation/NebulaStation.dmm", "size_mb": 4.7}, {"path": "_maps/map_files/NSVBlueshift/Blueshift.dmm", "size_mb": 3.7}, {"path": "modular_nova/master_files/sound/ambience/mushroom/mushroom_theme.ogg", "size_mb": 3.1}], "included_files": 24137, "context_size_mb": 359.8, "correlation_key": "fp|b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC127", "level": "warning", "message": {"text": "[SEC127] AI agent stub \u2014 TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass shallow CI), but invoking it crashes or silently no-ops. AI agents consistently emit these when their context window runs out mid-implementation. Production callers hitting these stubs is a classic AI-generated-incident."}, "properties": {"repobilityId": 143257, "scanner": "repobility-threat-engine", "fingerprint": "7c26e3a1bbd3dfc10b3dab1edc70e3bd8e3ae875bbefaf5cdf70ebb6b8c40685", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "def should_run() -> bool:\n        raise NotImplementedError", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC127", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7c26e3a1bbd3dfc10b3dab1edc70e3bd8e3ae875bbefaf5cdf70ebb6b8c40685"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ezdb/steps/step.py"}, "region": {"startLine": 5}}}]}, {"ruleId": "SEC042", "level": "warning", "message": {"text": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odoo), but a future contributor can extend the f-string to user input without noticing. CWE-89. Identifiers (table/column names) need a separate escaping path from values."}, "properties": {"repobilityId": 143256, "scanner": "repobility-threat-engine", "fingerprint": "cc3e660e7c2e8ffa81ac2880d3d1d9199c0f88523c78eb9561edebc9171f86eb", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cursor.execute(f\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC042", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|23|sec042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ezdb/steps/update_schema.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC042", "level": "warning", "message": {"text": "[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odoo), but a future contributor can extend the f-string to user input without noticing. CWE-89. Identifiers (table/column names) need a separate escaping path from values."}, "properties": {"repobilityId": 143255, "scanner": "repobility-threat-engine", "fingerprint": "03bc41b15a91886f21f9170b1254d2b3033a5c3b4fe9df8146248d266a582b8a", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "cursor.execute(f\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC042", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|21|sec042"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ezdb/steps/install_initial_schema.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 143254, "scanner": "repobility-threat-engine", "fingerprint": "8a62191e5df34e3e6231fe89761786dd987c31b01a3cf728d2127b73819cfc7c", "category": "crypto", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "evidence": {"match": "def create_password", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|crypto|token|7|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ezdb/steps/install_database.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "SEC001", "level": "warning", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 143234, "scanner": "repobility-threat-engine", "fingerprint": "7312496684b0db261458a7a289cbf876be02e98b31130cbe7f7d499021af7efd", "category": "credential_exposure", "severity": "medium", "confidence": 0.3, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Low entropy value (3.1 bits) \u2014 may be placeholder or common string", "evidence": {"match": "password = \"<redacted>\"", "reason": "Low entropy value (3.1 bits) \u2014 may be placeholder or common string", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.3, "correlation_key": "secret|tools/minibot/config.py|1|password redacted"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/minibot/config.py"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 143224, "scanner": "repobility-threat-engine", "fingerprint": "bd994e925bd6a8257d3386c5ef6d2d8bc1cb2cf9998faf6d9d504c20ce7c6062", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 20000)}`,\n    'Setting up priv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bd994e925bd6a8257d3386c5ef6d2d8bc1cb2cf9998faf6d9d504c20ce7c6062"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/SyndicateContractor.tsx"}, "region": {"startLine": 107}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 143223, "scanner": "repobility-threat-engine", "fingerprint": "48aebc09531420fa78547f83b84463b04b30c82259977808903bd6ee4ed9beb7", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 20000)}`,\n    'Setting up priv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|48aebc09531420fa78547f83b84463b04b30c82259977808903bd6ee4ed9beb7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/SyndContractor.jsx"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 143222, "scanner": "repobility-threat-engine", "fingerprint": "439814cc03c9118bb011c4e6cd1bf58d4f5aaa25d57f3afdb259ffa8604f351f", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Math.random() * 2 - 1, []);\n\n  function handleMouseDown(args: React.MouseEvent<HTMLDiv", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|439814cc03c9118bb011c4e6cd1bf58d4f5aaa25d57f3afdb259ffa8604f351f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/DetectiveBoard/Evidence.tsx"}, "region": {"startLine": 37}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 143210, "scanner": "repobility-threat-engine", "fingerprint": "ef41ff47114988573160547407e92f4ccf1e21f4fb65eff006422ea8658e6e0b", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|tools/minibot/minibot.py|98|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/minibot/minibot.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC007", "level": "warning", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 143209, "scanner": "repobility-threat-engine", "fingerprint": "67b59f59cc776044bb69f9a064b3260cf23cddc32ce74a730ece83bc9fd14331", "category": "deserialization", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|93|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Changelog.jsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 143198, "scanner": "repobility-threat-engine", "fingerprint": "958cbb923da6519645e62b23d776dd68fd1628c80c03a5ca50d19899c9e4d62e", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|100|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ci/show_screenshot_test_results.js"}, "region": {"startLine": 100}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 143197, "scanner": "repobility-threat-engine", "fingerprint": "b46911792fc2258a885d3921fcedb6675984c51bc7a911b7197fdbb6727765bf", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|47|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Interview.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 143196, "scanner": "repobility-threat-engine", "fingerprint": "522b15c8a90a84231579a3744bb2c247279fc3c9409c7677cf09400ad6d11e40", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|40|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-panel/chat/replaceInTextNode.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 143195, "scanner": "repobility-threat-engine", "fingerprint": "863292949ba55fa0e102557bc75a937ce2086ac90d13ce0c7c2446df85b3fbfb", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n      return [];\n    }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|863292949ba55fa0e102557bc75a937ce2086ac90d13ce0c7c2446df85b3fbfb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/util.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 143169, "scanner": "repobility-threat-engine", "fingerprint": "e1ebbd4dc6f7ccaaed89908a04c2c93689f6af80733befc0e1b0479c4c54f6be", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (err) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e1ebbd4dc6f7ccaaed89908a04c2c93689f6af80733befc0e1b0479c4c54f6be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/link/client.ts"}, "region": {"startLine": 66}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 143168, "scanner": "repobility-threat-engine", "fingerprint": "6a3bb493575b04408917368d7f45d361fc0f25ec6bd778336b1964213b79d551", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "catch (err) {}", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6a3bb493575b04408917368d7f45d361fc0f25ec6bd778336b1964213b79d551"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "html/admin/search.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 143332, "scanner": "repobility-docker", "fingerprint": "4c9fdd15b04afa9c017cbed004e1e173ee3502601363f8381d632b254a2f87ad", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "tts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|4c9fdd15b04afa9c017cbed004e1e173ee3502601363f8381d632b254a2f87ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 143331, "scanner": "repobility-docker", "fingerprint": "5610c657928a2aec03ffb6af023986f90e664d2d8c8ef02348ecf0f883c16b08", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "tts", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|5610c657928a2aec03ffb6af023986f90e664d2d8c8ef02348ecf0f883c16b08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/docker-compose.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 143330, "scanner": "repobility-docker", "fingerprint": "d9fa78ef2444754533b8729fba2982447b2adcb9fc48b96e9e83b8dd8655f280", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "tts-api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|d9fa78ef2444754533b8729fba2982447b2adcb9fc48b96e9e83b8dd8655f280"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 143329, "scanner": "repobility-docker", "fingerprint": "99b600e908d481f08c3223b5bba2a52a2435a678f3ffb293e183b4feb04f8912", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "tts-api", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|99b600e908d481f08c3223b5bba2a52a2435a678f3ffb293e183b4feb04f8912"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 143328, "scanner": "repobility-docker", "fingerprint": "c26a2afd483af5f643d0ca5fd79c0d559e3cd2cae13a2f401c804ca181b4a183", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "setup", "dependency": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|c26a2afd483af5f643d0ca5fd79c0d559e3cd2cae13a2f401c804ca181b4a183", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 143327, "scanner": "repobility-docker", "fingerprint": "3c3911ca3a763a272bfa10d4e1f99e85770c0daafee94b32fb3074d018204f7d", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "setup", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3c3911ca3a763a272bfa10d4e1f99e85770c0daafee94b32fb3074d018204f7d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 143326, "scanner": "repobility-docker", "fingerprint": "89d6794eeb582e1473d002dc8732f5c8f0f1e598244d6a3bb0782614c42a1c09", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "setup", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|89d6794eeb582e1473d002dc8732f5c8f0f1e598244d6a3bb0782614c42a1c09"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 143325, "scanner": "repobility-docker", "fingerprint": "0abbb4ba1736fd3a2d22cad5771cb7c4a7ded4c329b5f7c83cb6d5c9c47b6bfc", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "tgs", "dependency": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|0abbb4ba1736fd3a2d22cad5771cb7c4a7ded4c329b5f7c83cb6d5c9c47b6bfc", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 143324, "scanner": "repobility-docker", "fingerprint": "fd1663bc128a768b1f811e7d35999360f4191ebaf8e32fd5dc1643084df3c6ec", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "tgs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fd1663bc128a768b1f811e7d35999360f4191ebaf8e32fd5dc1643084df3c6ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 143322, "scanner": "repobility-docker", "fingerprint": "a528671fdcc61a7df10acc50c6c87b7f54ff0355e2f7a2bfa5116649aee8560a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "tgs", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|a528671fdcc61a7df10acc50c6c87b7f54ff0355e2f7a2bfa5116649aee8560a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 143315, "scanner": "repobility-docker", "fingerprint": "1511d686006215da58275f36fc00d8b7bb1d42dd13fd0b65a7314094a23d8715", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "adminer", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|1511d686006215da58275f36fc00d8b7bb1d42dd13fd0b65a7314094a23d8715", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 143314, "scanner": "repobility-docker", "fingerprint": "7e0d5fcadc03308b6077059301d5d93b8f8d7971f9ecb0ced0035ebbb52cea46", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7e0d5fcadc03308b6077059301d5d93b8f8d7971f9ecb0ced0035ebbb52cea46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 143313, "scanner": "repobility-docker", "fingerprint": "835f0ce77f5673ef562d82cd305b6a4e55eef4084ed2eb9d637d2a6bd607c6c8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|835f0ce77f5673ef562d82cd305b6a4e55eef4084ed2eb9d637d2a6bd607c6c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 143308, "scanner": "repobility-docker", "fingerprint": "0d2ffb335d861bf2510a824edd13c8f9a33affad69ecf9e2d0c0797510201bed", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "dreammaker", "dependency": "db", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|0d2ffb335d861bf2510a824edd13c8f9a33affad69ecf9e2d0c0797510201bed", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 143307, "scanner": "repobility-docker", "fingerprint": "b075a5ca2fe7185718d7042a49c66de8b0b37f3aa4806231b50dd41e81bdfe37", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "dreammaker", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b075a5ca2fe7185718d7042a49c66de8b0b37f3aa4806231b50dd41e81bdfe37"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 143306, "scanner": "repobility-docker", "fingerprint": "7da04d3c8248e77ba86448605866d745f8e9762aafcb053cfebbb3547f81f6a5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "dreammaker", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7da04d3c8248e77ba86448605866d745f8e9762aafcb053cfebbb3547f81f6a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 4}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 143302, "scanner": "repobility-docker", "fingerprint": "e844ed32c51e5123fd6fbf60b694b1f4ff4b4af4a6105955a8020f9280483da9", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|e844ed32c51e5123fd6fbf60b694b1f4ff4b4af4a6105955a8020f9280483da9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts-api/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 143301, "scanner": "repobility-docker", "fingerprint": "f6a6a4b7745a0ca5505f9555fd8b657720547202b7059500350cc01e3e2306f3", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|f6a6a4b7745a0ca5505f9555fd8b657720547202b7059500350cc01e3e2306f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts-api/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR012", "level": "note", "message": {"text": "Dockerfile keeps pip download cache"}, "properties": {"repobilityId": 143298, "scanner": "repobility-docker", "fingerprint": "17530f3ccffee168425fd2ae320eadc53ee63e844ae8831e927809a01f4e8b96", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "pip install appears without --no-cache-dir.", "evidence": {"rule_id": "DKR012", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|17530f3ccffee168425fd2ae320eadc53ee63e844ae8831e927809a01f4e8b96"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts/Dockerfile"}, "region": {"startLine": 25}}}]}, {"ruleId": "DKR011", "level": "note", "message": {"text": "Dockerfile installs recommended OS packages"}, "properties": {"repobilityId": 143297, "scanner": "repobility-docker", "fingerprint": "9daef7fffbd8d3bbbc429b51384db77c03ff5e02420f2c4d50b9a004393abfc4", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt install appears without --no-install-recommends.", "evidence": {"rule_id": "DKR011", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|9daef7fffbd8d3bbbc429b51384db77c03ff5e02420f2c4d50b9a004393abfc4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts/Dockerfile"}, "region": {"startLine": 5}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 143296, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", ".git", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKR010", "level": "note", "message": {"text": "Dockerfile leaves apt package indexes in the image layer"}, "properties": {"repobilityId": 143292, "scanner": "repobility-docker", "fingerprint": "87dddfd588d4a2ce30b2df8deffa1276a8d3d6b738b14f5b5d06427392db8cbd", "category": "docker", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "apt update/install layer does not remove /var/lib/apt/lists.", "evidence": {"rule_id": "DKR010", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|87dddfd588d4a2ce30b2df8deffa1276a8d3d6b738b14f5b5d06427392db8cbd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 4}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143290, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9aabecb26286b2f34a42d0e9c603d9da0a15c1b4f4c00a2285803a768bd0f757", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/HypnoChair.jsx", "duplicate_line": 25, "correlation_key": "fp|9aabecb26286b2f34a42d0e9c603d9da0a15c1b4f4c00a2285803a768bd0f757"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/ImplantChair.jsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143289, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e8de2afbd12d6d421ee2769b8b95e22b6d86e09825ac233a10bbb53281490a24", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/ComponentPrinter.tsx", "duplicate_line": 81, "correlation_key": "fp|e8de2afbd12d6d421ee2769b8b95e22b6d86e09825ac233a10bbb53281490a24"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Fabricator.tsx"}, "region": {"startLine": 155}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143288, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c8a5a561ff3c08c9f243f76b11be5c96653abf73f332ca6205cbded4aa4f00d1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/Autolathe.tsx", "duplicate_line": 208, "correlation_key": "fp|c8a5a561ff3c08c9f243f76b11be5c96653abf73f332ca6205cbded4aa4f00d1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Fabricator.tsx"}, "region": {"startLine": 147}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143287, "scanner": "repobility-ai-code-hygiene", "fingerprint": "545fcbf157b71bc7acfe1fd69784fd1f27612e7e60c6e71b0935cccf29cd6746", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/ExosuitFabricator.tsx", "duplicate_line": 86, "correlation_key": "fp|545fcbf157b71bc7acfe1fd69784fd1f27612e7e60c6e71b0935cccf29cd6746"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Fabricator.tsx"}, "region": {"startLine": 142}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143286, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c3787c3be1f4c92bcdf214e4885b109108639dab85ec441ceb99bb5066914f9f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/ComponentPrinter.tsx", "duplicate_line": 87, "correlation_key": "fp|c3787c3be1f4c92bcdf214e4885b109108639dab85ec441ceb99bb5066914f9f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/ExosuitFabricator.tsx"}, "region": {"startLine": 106}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143285, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a599bb1699169afffe8bb5fa9a81e62f713be3126b813a067437782884c564b2", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/Autolathe.tsx", "duplicate_line": 208, "correlation_key": "fp|a599bb1699169afffe8bb5fa9a81e62f713be3126b813a067437782884c564b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/ExosuitFabricator.tsx"}, "region": {"startLine": 91}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143284, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f8b53c6c076296da0319760a2dd3673438d3c7cc2a4ef74e439d1385fe5e311a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/Autolathe.tsx", "duplicate_line": 208, "correlation_key": "fp|f8b53c6c076296da0319760a2dd3673438d3c7cc2a4ef74e439d1385fe5e311a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/ComponentPrinter.tsx"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143283, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8abb3fb58c26c0ba442b89da18e04e891294a3e8c3cce4ef80a62daf0bafcd25", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/AirlockElectronics.tsx", "duplicate_line": 139, "correlation_key": "fp|8abb3fb58c26c0ba442b89da18e04e891294a3e8c3cce4ef80a62daf0bafcd25"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/CircuitAccessChecker.tsx"}, "region": {"startLine": 26}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143282, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3ab4836068497cea5867907d2ce0f180b67fff5b1003c4d7db7f872f8200b61d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/ChemHeater.tsx", "duplicate_line": 242, "correlation_key": "fp|3ab4836068497cea5867907d2ce0f180b67fff5b1003c4d7db7f872f8200b61d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/ChemReactionChamber.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143281, "scanner": "repobility-ai-code-hygiene", "fingerprint": "880540ea5d1d390e10397a1bbb42ad71da341b3d9a1d5cd56eac140dc5b656e5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/ChemMixingChamber.tsx", "duplicate_line": 32, "correlation_key": "fp|880540ea5d1d390e10397a1bbb42ad71da341b3d9a1d5cd56eac140dc5b656e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/ChemReactionChamber.tsx"}, "region": {"startLine": 38}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143280, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ea9419bba28b10744d8cf0b4d1d03d7a3a88fa3b5f5a3a3912c9c1d4507c238", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/ChemPress.jsx", "duplicate_line": 66, "correlation_key": "fp|7ea9419bba28b10744d8cf0b4d1d03d7a3a88fa3b5f5a3a3912c9c1d4507c238"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/ChemPress.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143279, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a43673658feea9a7c10faab05249042457693e8ef3500e15101416bf43ba390e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/ChemHeater.tsx", "duplicate_line": 242, "correlation_key": "fp|a43673658feea9a7c10faab05249042457693e8ef3500e15101416bf43ba390e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/ChemMixingChamber.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143278, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7d2b9e40fe4d9dbd18d5c127f0e4ca77bd52124ed2536c0e3cab12fc9b55bd28", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/ArmamentStation.jsx", "duplicate_line": 58, "correlation_key": "fp|7d2b9e40fe4d9dbd18d5c127f0e4ca77bd52124ed2536c0e3cab12fc9b55bd28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/CargoImportConsole.jsx"}, "region": {"startLine": 57}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143277, "scanner": "repobility-ai-code-hygiene", "fingerprint": "89aa5fc89df585014d7ead6da4dbcf966fd006bf625d5bad86814abe6d1c2f8f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/BluespaceArtillery.tsx", "duplicate_line": 26, "correlation_key": "fp|89aa5fc89df585014d7ead6da4dbcf966fd006bf625d5bad86814abe6d1c2f8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/BluespaceArtilleryNova.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143276, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e73e83d127fc4e8857921ea27faa5b1956c361ff308632d517c038bc0dfbe34e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/AtmosPump.tsx", "duplicate_line": 20, "correlation_key": "fp|e73e83d127fc4e8857921ea27faa5b1956c361ff308632d517c038bc0dfbe34e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AtmosTempPump.tsx"}, "region": {"startLine": 18}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143275, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e4a6c4ac358eaee9dc0cf2f09909ee9d88867f90ee0c0ebca7b738e6c0d108a8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/AtmosPump.tsx", "duplicate_line": 20, "correlation_key": "fp|e4a6c4ac358eaee9dc0cf2f09909ee9d88867f90ee0c0ebca7b738e6c0d108a8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AtmosTempGate.tsx"}, "region": {"startLine": 19}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143274, "scanner": "repobility-ai-code-hygiene", "fingerprint": "34dcb1a244fbbb640c1cce3a0c0dc90baf8f8f9db8089b0eb8632bff1d1eab2e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/AtmosMixer.tsx", "duplicate_line": 43, "correlation_key": "fp|34dcb1a244fbbb640c1cce3a0c0dc90baf8f8f9db8089b0eb8632bff1d1eab2e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AtmosPump.tsx"}, "region": {"startLine": 66}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143273, "scanner": "repobility-ai-code-hygiene", "fingerprint": "03a5fed1303359c139c53a41cd2f71a15c05cf9546cbe6e9f67d924a6c80d936", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/AtmosFilter.tsx", "duplicate_line": 46, "correlation_key": "fp|03a5fed1303359c139c53a41cd2f71a15c05cf9546cbe6e9f67d924a6c80d936"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AtmosPump.tsx"}, "region": {"startLine": 39}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143272, "scanner": "repobility-ai-code-hygiene", "fingerprint": "16ada34d08f6ac9b83fa0e5f4728a75dacf0eab286338e314781ea8362a309ab", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/AntagInfoMalf.tsx", "duplicate_line": 149, "correlation_key": "fp|16ada34d08f6ac9b83fa0e5f4728a75dacf0eab286338e314781ea8362a309ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AntagInfoTraitor.tsx"}, "region": {"startLine": 160}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 143271, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6a04f70f9e62046d364b7d4733b39286b2484b20925eda0c4ec5cdf64a309395", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "tgui/packages/tgui/interfaces/AiCoreDisplayPicker.tsx", "duplicate_line": 48, "correlation_key": "fp|6a04f70f9e62046d364b7d4733b39286b2484b20925eda0c4ec5cdf64a309395"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AiStatusDisplayPicker.tsx"}, "region": {"startLine": 54}}}]}, {"ruleId": "SEC124", "level": "note", "message": {"text": "[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated for the same reason."}, "properties": {"repobilityId": 143268, "scanner": "repobility-threat-engine", "fingerprint": "fb01ca23ad22ba8bb7b72d59380fc3364ee89338da810ecb61ca6574e74df55b", "category": "race_condition", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "os.path.exists(archiveDir):\n                    os.makedirs(archiveDir)\n                currentFile", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC124", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fb01ca23ad22ba8bb7b72d59380fc3364ee89338da810ecb61ca6574e74df55b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ss13_genchangelog.py"}, "region": {"startLine": 91}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 143161, "scanner": "repobility-threat-engine", "fingerprint": "f51207069313a1927850d110dde52b9760e6457c8573bd47b221fefd2cfade92", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Please wait ' +\n                      cooldown_string +\n                      ' before sending your", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f51207069313a1927850d110dde52b9760e6457c8573bd47b221fefd2cfade92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/LibraryConsole/screens/Upload.tsx"}, "region": {"startLine": 124}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 143160, "scanner": "repobility-threat-engine", "fingerprint": "610d0e4636b61c765da7c684070daf209fe575e4427f4b54d43d6a387fb1e148", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "' You are grateful to be self aware and owe ' +\n                    enslaved_to +", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|610d0e4636b61c765da7c684070daf209fe575e4427f4b54d43d6a387fb1e148"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AntagInfoSentient.jsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "SEC132", "level": "note", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template literals since ES6). Not a vulnerability on its own, but a style signature of cross-language AI rewrites \u2014 the model wrote idiomatic Java/C# and then translated mechanically. When this style appears in only *some* files of a repo, it's a strong indicator of an AI-driven rewrite that needs a human review p"}, "properties": {"repobilityId": 143159, "scanner": "repobility-threat-engine", "fingerprint": "6f76f43a5aa7bd4e3a156b9570118b2840b4a9458d84b86f442813b2908dfe9d", "category": "quality", "severity": "low", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "\"SELECT id FROM \" + current_table + \" ORDER BY bantime ASC\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6f76f43a5aa7bd4e3a156b9570118b2840b4a9458d84b86f442813b2908dfe9d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "SQL/ban_conversion_2018-10-28.py"}, "region": {"startLine": 125}}}]}, {"ruleId": "COMP001", "level": "note", "message": {"text": "[COMP001] High cognitive complexity: Function `parse_role` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: elif=2, else=2, if=2, nested_bonus=3."}, "properties": {"repobilityId": 143156, "scanner": "repobility-threat-engine", "fingerprint": "9e11c8f974518206da0a3d7f275cb31efdc36b14e6e792861df17b150b29a7b2", "category": "quality", "severity": "low", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 9 (severity threshold for low: 8+).", "evidence": {"scanner": "repobility-threat-engine", "function": "parse_role", "breakdown": {"if": 2, "elif": 2, "else": 2, "nested_bonus": 3}, "complexity": 9, "correlation_key": "fp|9e11c8f974518206da0a3d7f275cb31efdc36b14e6e792861df17b150b29a7b2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "SQL/ban_conversion_2018-10-28.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED051", "level": "none", "message": {"text": "[MINED051] Csharp Null Forgive: x! tells compiler \"definitely not null\" \u2014 bypasses nullable check. NRE risk if wrong."}, "properties": {"repobilityId": 143270, "scanner": "repobility-threat-engine", "fingerprint": "df3d07130774ce52b74ff58d8883273aa60221701597347e83b30911ab0cd099", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "csharp-null-forgive", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["csharp"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348020+00:00", "triaged_in_corpus": 12, "observations_count": 518114, "ai_coder_pattern_id": 173}, "scanner": "repobility-threat-engine", "correlation_key": "fp|df3d07130774ce52b74ff58d8883273aa60221701597347e83b30911ab0cd099"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tgs_test/Program.cs"}, "region": {"startLine": 67}}}]}, {"ruleId": "MINED063", "level": "none", "message": {"text": "[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) \u2014 file can be replaced/deleted between check and use."}, "properties": {"repobilityId": 143269, "scanner": "repobility-threat-engine", "fingerprint": "cdd813bcbad7cb8d2420bb06c555173a89ec479560bb5b5e2a6d1d53eec30ff6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "toctou-os-path-exists", "owasp": null, "cwe_ids": ["CWE-367"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348048+00:00", "triaged_in_corpus": 12, "observations_count": 90754, "ai_coder_pattern_id": 41}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cdd813bcbad7cb8d2420bb06c555173a89ec479560bb5b5e2a6d1d53eec30ff6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ss13_genchangelog.py"}, "region": {"startLine": 120}}}]}, {"ruleId": "MINED064", "level": "none", "message": {"text": "[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services."}, "properties": {"repobilityId": 143265, "scanner": "repobility-threat-engine", "fingerprint": "3cde1cbeabe1f15a5bad3103a16f8c7af6eecdaf0487562e10d49aa857cae089", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-input-call", "owasp": null, "cwe_ids": [], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348050+00:00", "triaged_in_corpus": 12, "observations_count": 66378, "ai_coder_pattern_id": 124}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3cde1cbeabe1f15a5bad3103a16f8c7af6eecdaf0487562e10d49aa857cae089"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/frontend.py"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED072", "level": "none", "message": {"text": "[MINED072] Python Pass Only Class: class Foo: pass \u2014 stub waiting to be filled in."}, "properties": {"repobilityId": 143264, "scanner": "repobility-threat-engine", "fingerprint": "3a26957bad941a4b7dbd72f5e2a34a0b58b76291da1afff3d1695db59d089b76", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pass-only-class", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348069+00:00", "triaged_in_corpus": 10, "observations_count": 14245, "ai_coder_pattern_id": 143}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3a26957bad941a4b7dbd72f5e2a34a0b58b76291da1afff3d1695db59d089b76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/error.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "SEC005", "level": "none", "message": {"text": "[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input."}, "properties": {"repobilityId": 143258, "scanner": "repobility-threat-engine", "fingerprint": "19ec77724fd27891c741e2b891d40f3e5460e5673bcc49287a9655edde9d4152", "category": "injection", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Pattern inside a raw string \u2014 regex or pattern definition, not executable code", "evidence": {"match": "subprocess.run(f\"{path_to_us}/../build/build.sh --force-recut --ci icon-cutter\", shell = True", "reason": "Pattern inside a raw string \u2014 regex or pattern definition, not executable code", "rule_id": "SEC005", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|injection|tools/icon_cutter/check.py|105|sec005"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/icon_cutter/check.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 143253, "scanner": "repobility-threat-engine", "fingerprint": "6a2d6864d69bd53329d07ac2816a1956d43904cdbea12ccb60708a0f969410dd", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6a2d6864d69bd53329d07ac2816a1956d43904cdbea12ccb60708a0f969410dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts-api/tts-api.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED067", "level": "none", "message": {"text": "[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever."}, "properties": {"repobilityId": 143252, "scanner": "repobility-threat-engine", "fingerprint": "e09b59d47b2ab95f67ad4f74e3648b88efaf44c5f8086337cdba186c62e796f5", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-requests-no-timeout", "owasp": null, "cwe_ids": ["CWE-400"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348058+00:00", "triaged_in_corpus": 12, "observations_count": 45429, "ai_coder_pattern_id": 122}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e09b59d47b2ab95f67ad4f74e3648b88efaf44c5f8086337cdba186c62e796f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/discordRoleScript/Script.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 143245, "scanner": "repobility-threat-engine", "fingerprint": "2ceff3ec0a7ac420bef85b5863359daa8659fb729a5ec86c6ed886c622246de6", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "print(f\"Maps WILL{'' if settings.tgm else ' NOT'} be converted to tgm.\")", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|tools/mapmerge2/frontend.py|9|print f maps will if settings.tgm else not be converted to tgm."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/frontend.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 143244, "scanner": "repobility-threat-engine", "fingerprint": "e7388ed9106f2abc6d4db3a6caf25164622bf2a19d52b4e853d25fa5795fcb90", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "print(\"Creating config...\")", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|3|print creating config..."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ezdb/steps/install_database.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 143243, "scanner": "repobility-threat-engine", "fingerprint": "e7aa5c5980e5fc0f5436a8a9e82f4bac8835446292f013cdbb2a71a81282382f", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "evidence": {"match": "console.error(\"PASSWORD was not set.\")", "reason": "Log line appears to mention secret metadata or a redacted value rather than printing the secret", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|tools/autowiki/autowiki.js|1|console.error password was not set."}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/autowiki/autowiki.js"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 143242, "scanner": "repobility-threat-engine", "fingerprint": "65bcd7f326bc59f8b4437e46d4ab6a55a7a5b15fd03b0952dee24ac035ca5b3d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|65bcd7f326bc59f8b4437e46d4ab6a55a7a5b15fd03b0952dee24ac035ca5b3d", "aggregated_count": 5}}}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 143241, "scanner": "repobility-threat-engine", "fingerprint": "5c34e40343774757225b5ad16cbb9f928a654058c474e44e88343e13845c1865", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5c34e40343774757225b5ad16cbb9f928a654058c474e44e88343e13845c1865"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ezdb/steps/step.py"}, "region": {"startLine": 6}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 143240, "scanner": "repobility-threat-engine", "fingerprint": "6277e1752fa41fec71a11159a3a75eeff624aea773d58e7295179d8db11085b4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6277e1752fa41fec71a11159a3a75eeff624aea773d58e7295179d8db11085b4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/dmi/__init__.py"}, "region": {"startLine": 94}}}]}, {"ruleId": "MINED050", "level": "none", "message": {"text": "[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment."}, "properties": {"repobilityId": 143239, "scanner": "repobility-threat-engine", "fingerprint": "8f35658c3e1bf54cee4ea90c6a0b614db75b898dde7111632faf488fffb0edcc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "stub-only-function", "owasp": null, "cwe_ids": ["CWE-1188"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348017+00:00", "triaged_in_corpus": 12, "observations_count": 633513, "ai_coder_pattern_id": 2}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8f35658c3e1bf54cee4ea90c6a0b614db75b898dde7111632faf488fffb0edcc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/HitboxExpander/__main__.py"}, "region": {"startLine": 88}}}]}, {"ruleId": "MINED001", "level": "none", "message": {"text": "[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 143238, "scanner": "repobility-threat-engine", "fingerprint": "3ed4a11ec48650075e843160edf55362aa121897a652d0286a1dc826dd94d954", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|3ed4a11ec48650075e843160edf55362aa121897a652d0286a1dc826dd94d954", "aggregated_count": 1}}}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 143232, "scanner": "repobility-threat-engine", "fingerprint": "a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a51fc5b757daa107ff993d54388f809af87b26cac35292629b20c635c24267fc", "aggregated_count": 1}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 143228, "scanner": "repobility-threat-engine", "fingerprint": "9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9538f1e64abc06611cb760d4cf74131bb8d1179208b0f6494ae6336a088ba74b", "aggregated_count": 2}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 143227, "scanner": "repobility-threat-engine", "fingerprint": "cce697714742456579f35f7fc7f9b27bfb61fc767a63d7e63f7a16a360559154", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cce697714742456579f35f7fc7f9b27bfb61fc767a63d7e63f7a16a360559154"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/SmartVend.tsx"}, "region": {"startLine": 156}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 143226, "scanner": "repobility-threat-engine", "fingerprint": "6b0309210775eb4d17f01b5055c4268fca516f38c879983a7d1d2877a1f948d6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6b0309210775eb4d17f01b5055c4268fca516f38c879983a7d1d2877a1f948d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/PreferencesMenu/preferences/features/base.tsx"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 143225, "scanner": "repobility-threat-engine", "fingerprint": "de70e5885e19e135f07cd6090eb0202f1d6ac4b45c7416f9180172cf58797d4d", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|de70e5885e19e135f07cd6090eb0202f1d6ac4b45c7416f9180172cf58797d4d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Microscope.tsx"}, "region": {"startLine": 181}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 10 more): Same pattern found in 10 additional files. Review if needed."}, "properties": {"repobilityId": 143221, "scanner": "repobility-threat-engine", "fingerprint": "9fcbfefcca1e8a351de0d2ba8db655775439df42c0fcabad155832e54f003d97", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 10 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|9fcbfefcca1e8a351de0d2ba8db655775439df42c0fcabad155832e54f003d97", "aggregated_count": 10}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 143220, "scanner": "repobility-threat-engine", "fingerprint": "b234a5527100a2f8369eba1936d362de4d739199ffcf2d770efac556671f7204", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b234a5527100a2f8369eba1936d362de4d739199ffcf2d770efac556671f7204"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/DetectiveBoard/Evidence.tsx"}, "region": {"startLine": 173}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 143219, "scanner": "repobility-threat-engine", "fingerprint": "79497ae81f607c00b01b23326d19b7b3b5bf2fb40dade705ca47440cf731f15f", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79497ae81f607c00b01b23326d19b7b3b5bf2fb40dade705ca47440cf731f15f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/CommunicationsConsole/Messages.tsx"}, "region": {"startLine": 76}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 143218, "scanner": "repobility-threat-engine", "fingerprint": "e50acce21a2ed3eb049819c51ea473c8b4cdece66d4b575a609fec16efbde8a4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|e50acce21a2ed3eb049819c51ea473c8b4cdece66d4b575a609fec16efbde8a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/CivCargoHoldTerminal.tsx"}, "region": {"startLine": 237}}}]}, {"ruleId": "SEC007", "level": "none", "message": {"text": "[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code."}, "properties": {"repobilityId": 143211, "scanner": "repobility-threat-engine", "fingerprint": "baaa91a45642276f04f3a6725783d553222f5793c3e343a2418d2fb0c5cdd43b", "category": "deserialization", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'SafeLoader' detected on same line", "evidence": {"match": "yaml.load(", "reason": "Safe pattern 'SafeLoader' detected on same line", "rule_id": "SEC007", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|deserialization|tools/ss13_genchangelog.py|118|sec007"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ss13_genchangelog.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "properties": {"repobilityId": 143208, "scanner": "repobility-threat-engine", "fingerprint": "d5242bb0025ec6219ae5b80e50f93ad60636b44031c122ee5552f493789f7d4a", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 74 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d5242bb0025ec6219ae5b80e50f93ad60636b44031c122ee5552f493789f7d4a", "aggregated_count": 74}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 143207, "scanner": "repobility-threat-engine", "fingerprint": "d6f597406b28ff29a1ccf11eab3ea931a5de1bb843446d5078f8cda61898440a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6f597406b28ff29a1ccf11eab3ea931a5de1bb843446d5078f8cda61898440a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AntagInfoBlob.tsx"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 143206, "scanner": "repobility-threat-engine", "fingerprint": "544b033bd61685b92cc2ac8f2b2aafc66aa197dfd7caf667e4145d222e7294d7", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|544b033bd61685b92cc2ac8f2b2aafc66aa197dfd7caf667e4145d222e7294d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AlertModal.tsx"}, "region": {"startLine": 140}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 143205, "scanner": "repobility-threat-engine", "fingerprint": "ce2d40a75d48c663684fe8ba708158bea5349f45e1ec18c42bb82e35a978d097", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce2d40a75d48c663684fe8ba708158bea5349f45e1ec18c42bb82e35a978d097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-panel/settings/TextHighlight.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed."}, "properties": {"repobilityId": 143199, "scanner": "repobility-threat-engine", "fingerprint": "c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 1 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c59edcd8286991ab7caac4493f8f01b268fef2a5d218265ad20f6e2d1172fefb"}}}, {"ruleId": "SEC118", "level": "none", "message": {"text": "[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable."}, "properties": {"repobilityId": 143194, "scanner": "repobility-threat-engine", "fingerprint": "d42fa4dbfdd427f2083772c1de336ba4df491a8f9757d18b46b3808d004b3072", "category": "crypto", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'randomUUID' detected on same line", "evidence": {"match": "crypto.randomUUID", "reason": "Safe pattern 'randomUUID' detected on same line", "rule_id": "SEC118", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "code|crypto|token|102|sec118"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/link/server.ts"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 13 more): Same pattern found in 13 additional files. Review if needed."}, "properties": {"repobilityId": 143193, "scanner": "repobility-threat-engine", "fingerprint": "32a0c4b8eb59896358b09f6f62cfc62156eff6eb76004bde5c08520a91514dfe", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 13 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|32a0c4b8eb59896358b09f6f62cfc62156eff6eb76004bde5c08520a91514dfe", "aggregated_count": 13}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 143192, "scanner": "repobility-threat-engine", "fingerprint": "ec57a8fb321180b3077c5d3d67e26656915dfebd973e8e40a6fe99e8c5fef4c3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec57a8fb321180b3077c5d3d67e26656915dfebd973e8e40a6fe99e8c5fef4c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-panel/chat/handlers.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 143191, "scanner": "repobility-threat-engine", "fingerprint": "d61204837767d2f9dd0ac461accbb16696ce50eb1670c95f0705bb4f79309394", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d61204837767d2f9dd0ac461accbb16696ce50eb1670c95f0705bb4f79309394"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/logging.ts"}, "region": {"startLine": 60}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 143190, "scanner": "repobility-threat-engine", "fingerprint": "7c833d3dace9be4223f89d1ba4108c834e839add2a838e4d3a7e68618d6dc8d4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7c833d3dace9be4223f89d1ba4108c834e839add2a838e4d3a7e68618d6dc8d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/link/client.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 143189, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 143188, "scanner": "repobility-threat-engine", "fingerprint": "ecdc2cbb9ff1489bed2a2024cc0fef1f57ddce0439c48f3fb0489b53479cbb99", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ecdc2cbb9ff1489bed2a2024cc0fef1f57ddce0439c48f3fb0489b53479cbb99"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ci/download_byond.sh"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 143187, "scanner": "repobility-threat-engine", "fingerprint": "0f097322ac4aec0e7593656713ce563282b58ab0d70121a8df2ec28ba02fefdb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|0f097322ac4aec0e7593656713ce563282b58ab0d70121a8df2ec28ba02fefdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Changelog.jsx"}, "region": {"startLine": 238}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 143186, "scanner": "repobility-threat-engine", "fingerprint": "a5b0cbd51fd850fb1d8a356b28b9b360a50aa36f1577676f2a422bf1d66940e3", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a5b0cbd51fd850fb1d8a356b28b9b360a50aa36f1577676f2a422bf1d66940e3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/dreamseeker.ts"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 143185, "scanner": "repobility-threat-engine", "fingerprint": "3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|3dd4caf8fa81c20f9eace7ffa5194145968292c35b4d876b17652877ff96f545"}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 143181, "scanner": "repobility-threat-engine", "fingerprint": "fd5263f259df18a6d881fa012e78c00f0f8814bd1b866788a5442afaae3a615d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|fd5263f259df18a6d881fa012e78c00f0f8814bd1b866788a5442afaae3a615d", "aggregated_count": 19}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 143180, "scanner": "repobility-threat-engine", "fingerprint": "ae566b5fd91b9edbfb86bf14c716ce8e2e0f51b16ae5a7bc3014e9c4caba1768", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ae566b5fd91b9edbfb86bf14c716ce8e2e0f51b16ae5a7bc3014e9c4caba1768"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-panel/telemetry/handlers.ts"}, "region": {"startLine": 78}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 143179, "scanner": "repobility-threat-engine", "fingerprint": "13ecc901b320746e49ede5effdec033b0a0379221fa975f0c2709026e40786d4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|13ecc901b320746e49ede5effdec033b0a0379221fa975f0c2709026e40786d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/link/retrace.ts"}, "region": {"startLine": 56}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 143178, "scanner": "repobility-threat-engine", "fingerprint": "10bbf72113e8886c53aa9800c9996cb58fda59a60610b3bb2617f97594584c85", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|10bbf72113e8886c53aa9800c9996cb58fda59a60610b3bb2617f97594584c85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/common/type-safety.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 25 more): Same pattern found in 25 additional files. Review if needed."}, "properties": {"repobilityId": 143177, "scanner": "repobility-threat-engine", "fingerprint": "ddb605446dfa9c868be0f688b304c0be3e46ba5fd733742cdad1f67f5b18aa6d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 25 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|ddb605446dfa9c868be0f688b304c0be3e46ba5fd733742cdad1f67f5b18aa6d", "aggregated_count": 25}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 143176, "scanner": "repobility-threat-engine", "fingerprint": "2edd80c6016e386f5c709aef284b0adf3f41f5ce9e634d6e0731612cb9e116b9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2edd80c6016e386f5c709aef284b0adf3f41f5ce9e634d6e0731612cb9e116b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/link/server.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 143175, "scanner": "repobility-threat-engine", "fingerprint": "dea43ba61e2c78f501dc957296d162171090f7554ac937debbddeb17377d108b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dea43ba61e2c78f501dc957296d162171090f7554ac937debbddeb17377d108b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/link/client.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 143174, "scanner": "repobility-threat-engine", "fingerprint": "c889da205842e9399031cd365e80229069eec69db5358dcad60f0aa6c4e4d834", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c889da205842e9399031cd365e80229069eec69db5358dcad60f0aa6c4e4d834"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/common/storage.ts"}, "region": {"startLine": 19}}}]}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 143173, "scanner": "repobility-threat-engine", "fingerprint": "dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|dfda4170aff520d17dd79e2ba83251ca47508d2ca8ba93d0fcc46ccc46e07c8c"}}}, {"ruleId": "SEC132", "level": "none", "message": {"text": "[SEC132] String concat where the language has interpolation (AI style drift) (and 12 more): Same pattern found in 12 additional files. Review if needed."}, "properties": {"repobilityId": 143162, "scanner": "repobility-threat-engine", "fingerprint": "8f982bc0d0872c1bd9a84e8d95e8cdce33d25577464dd9a83b32709d7d282ef9", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 12 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC132", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|8f982bc0d0872c1bd9a84e8d95e8cdce33d25577464dd9a83b32709d7d282ef9"}}}, {"ruleId": "COMP001", "level": "none", "message": {"text": "[COMP001] High cognitive complexity (and 34 more): Same pattern found in 34 additional files. Review if needed."}, "properties": {"repobilityId": 143158, "scanner": "repobility-threat-engine", "fingerprint": "f32658a5bd3d365389dc9d8dcea6e6d2e8635eb72198c95a3e3592aeed9da33b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 34 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"scanner": "repobility-threat-engine", "function": "parse_text_flags", "breakdown": {"if": 7, "for": 1, "elif": 6, "continue": 2, "nested_bonus": 34}, "aggregated": true, "complexity": 50, "correlation_key": "fp|f32658a5bd3d365389dc9d8dcea6e6d2e8635eb72198c95a3e3592aeed9da33b", "aggregated_count": 34}}}, {"ruleId": "SEC004", "level": "none", "message": {"text": "[SEC004] SQL Injection Risk (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 143154, "scanner": "repobility-threat-engine", "fingerprint": "697a1e1c618a976a04b2b10ee678d411488742818f4142185ec95468dbf3a704", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|697a1e1c618a976a04b2b10ee678d411488742818f4142185ec95468dbf3a704"}}}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `tools/dmifonts/DmiFonts.exe` committed in source repo: `tools/dmifonts/DmiFonts.exe` is a .exe binary (27,648 bytes) committed to a repo that otherwise has 1247 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 143408, "scanner": "repobility-supply-chain", "fingerprint": "81a2172d4fb993c3e0b6e8b855696a84cc683aa81b125c8286c4d67663f4dab4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81a2172d4fb993c3e0b6e8b855696a84cc683aa81b125c8286c4d67663f4dab4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/dmifonts/DmiFonts.exe"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `libdreamluau.so` committed in source repo: `libdreamluau.so` is a .so binary (2,673,016 bytes) committed to a repo that otherwise has 1247 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 143407, "scanner": "repobility-supply-chain", "fingerprint": "195182539035792cef698f90d02618fd3f9d0f09f27870ef57368f81f162a5ed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|195182539035792cef698f90d02618fd3f9d0f09f27870ef57368f81f162a5ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "libdreamluau.so"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `rust_g.dll` committed in source repo: `rust_g.dll` is a .dll binary (9,733,120 bytes) committed to a repo that otherwise has 1247 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 143406, "scanner": "repobility-supply-chain", "fingerprint": "ee5a7352db2d8c83f2c690ad50d80e5e8d79c5ba5337998a376bddb377b4136e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ee5a7352db2d8c83f2c690ad50d80e5e8d79c5ba5337998a376bddb377b4136e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "rust_g.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED134", "level": "error", "message": {"text": "[MINED134] Binary file `dreamluau.dll` committed in source repo: `dreamluau.dll` is a .dll binary (1,331,712 bytes) committed to a repo that otherwise has 1247 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts."}, "properties": {"repobilityId": 143405, "scanner": "repobility-supply-chain", "fingerprint": "8cd377429416587259005f82d6de406aaf42f40a58dce1144a16253633230e11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "suspicious-binary-in-src", "owasp": null, "cwe_ids": ["CWE-506"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8cd377429416587259005f82d6de406aaf42f40a58dce1144a16253633230e11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "dreamluau.dll"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED126", "level": "error", "message": {"text": "[MINED126] Workflow container/services image `tgstation/server` unpinned: `container/services image: tgstation/server` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container references with the same supply-chain discipline as Dockerfile FROM lines."}, "properties": {"repobilityId": 143404, "scanner": "repobility-supply-chain", "fingerprint": "cd7cfc4586335696671d64d0fd6cf3183e164f79d4499d9ab91ea127b8e762fd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-container-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cd7cfc4586335696671d64d0fd6cf3183e164f79d4499d9ab91ea127b8e762fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tgs_test.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143401, "scanner": "repobility-supply-chain", "fingerprint": "bc8ece8208ffda77a397c1423970e9a75d6ebecb5c0db2b061b46528a83da1a4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|bc8ece8208ffda77a397c1423970e9a75d6ebecb5c0db2b061b46528a83da1a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rerun_flaky_tests.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143400, "scanner": "repobility-supply-chain", "fingerprint": "f4f64250dd3af98fb59ed441ec0283943dcbad53908881a0a139b4d7d79f9cf8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f4f64250dd3af98fb59ed441ec0283943dcbad53908881a0a139b4d7d79f9cf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/rerun_flaky_tests.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3.2.0`: `uses: actions/create-github-app-token@v3.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143399, "scanner": "repobility-supply-chain", "fingerprint": "7cf09c0ac2cd6b61167e0be25163bdb55cfa0f9cfb564b91aebfb8067810e5cd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7cf09c0ac2cd6b61167e0be25163bdb55cfa0f9cfb564b91aebfb8067810e5cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/discord_discussions.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143398, "scanner": "repobility-supply-chain", "fingerprint": "0658039aeab6187d7d427d96ffb8b2b3ffd89e56f7614f1b8576f005cdd5a8e4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0658039aeab6187d7d427d96ffb8b2b3ffd89e56f7614f1b8576f005cdd5a8e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/discord_discussions.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143397, "scanner": "repobility-supply-chain", "fingerprint": "9fe75c29c88cd29bd77a90350225f74b2cdcfb74f7c22d45d0dbdfa76f3eba5e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9fe75c29c88cd29bd77a90350225f74b2cdcfb74f7c22d45d0dbdfa76f3eba5e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/discord_discussions.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143396, "scanner": "repobility-supply-chain", "fingerprint": "ba15987c6ab8f89df9f3986372eaed262300bbb42d132cb54b09f704c8521352", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba15987c6ab8f89df9f3986372eaed262300bbb42d132cb54b09f704c8521352"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/setup_build_artifact.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143395, "scanner": "repobility-supply-chain", "fingerprint": "a9cba871aae658009421a3ce306c9aaade111e6faeac7d14e679343fb3989ec9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a9cba871aae658009421a3ce306c9aaade111e6faeac7d14e679343fb3989ec9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/setup_build_artifact.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/repository-dispatch` pinned to mutable ref `@v4`: `uses: peter-evans/repository-dispatch@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143394, "scanner": "repobility-supply-chain", "fingerprint": "43d7b2f541ea668265eed608ed59368aa0cc9fb893f6d702cd0ad009f2ebc10c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|43d7b2f541ea668265eed608ed59368aa0cc9fb893f6d702cd0ad009f2ebc10c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate_client_storage.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3.2.0`: `uses: actions/create-github-app-token@v3.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143393, "scanner": "repobility-supply-chain", "fingerprint": "395c3e24ba468b0b0ef522db7eaba667559f2eb8125974cc2e7f236662dd5860", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|395c3e24ba468b0b0ef522db7eaba667559f2eb8125974cc2e7f236662dd5860"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate_client_storage.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `ad-m/github-push-action` pinned to mutable ref `@master`: `uses: ad-m/github-push-action@master` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143392, "scanner": "repobility-supply-chain", "fingerprint": "dd9088b011b0325d5d1b5a1b31be4c25cedecafa1701510de10fbfa4c8486914", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|dd9088b011b0325d5d1b5a1b31be4c25cedecafa1701510de10fbfa4c8486914"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_changelogs.yml"}, "region": {"startLine": 70}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3.2.0`: `uses: actions/create-github-app-token@v3.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143391, "scanner": "repobility-supply-chain", "fingerprint": "11c735942355c255cb355fe020382f6c0697890a888365cefa4cccf0cee7dffc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|11c735942355c255cb355fe020382f6c0697890a888365cefa4cccf0cee7dffc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_changelogs.yml"}, "region": {"startLine": 59}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143390, "scanner": "repobility-supply-chain", "fingerprint": "f90c6c3b531e30be64f82bb629b57717d14c6e42501b6e648ccea4f5f7bcdfe6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f90c6c3b531e30be64f82bb629b57717d14c6e42501b6e648ccea4f5f7bcdfe6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_changelogs.yml"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143389, "scanner": "repobility-supply-chain", "fingerprint": "7eab30442c91604750fa17750f642354c3e2f35d9f9cc4b4b92857e6822a029d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7eab30442c91604750fa17750f642354c3e2f35d9f9cc4b4b92857e6822a029d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compile_changelogs.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143388, "scanner": "repobility-supply-chain", "fingerprint": "f46b3ee1c17b6caaef6f96e6ca5e3b9080519fc9f0b466618b709cedeba4e144", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f46b3ee1c17b6caaef6f96e6ca5e3b9080519fc9f0b466618b709cedeba4e144"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto_changelog.yml"}, "region": {"startLine": 31}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3.2.0`: `uses: actions/create-github-app-token@v3.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143387, "scanner": "repobility-supply-chain", "fingerprint": "7b94424aa3f8bd27c0b03180cc12a1a98810ba88bf43b2216251132b9c2c68e5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7b94424aa3f8bd27c0b03180cc12a1a98810ba88bf43b2216251132b9c2c68e5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto_changelog.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143386, "scanner": "repobility-supply-chain", "fingerprint": "a99080ee19c46d8684fd4ece8f8b73df5d69fef12934a44ae5741366d180f0ab", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a99080ee19c46d8684fd4ece8f8b73df5d69fef12934a44ae5741366d180f0ab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/auto_changelog.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143385, "scanner": "repobility-supply-chain", "fingerprint": "b2a37214561668e36d011684a6d3ac9abe989fefc6b581e7947578d47f0e0b45", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b2a37214561668e36d011684a6d3ac9abe989fefc6b581e7947578d47f0e0b45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_merge_bot.yml"}, "region": {"startLine": 35}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143384, "scanner": "repobility-supply-chain", "fingerprint": "9ff0c3a92e50dbf1eb2033fad1ba9ad907411c406b847b54c82e612e4a89ac6e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ff0c3a92e50dbf1eb2033fad1ba9ad907411c406b847b54c82e612e4a89ac6e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/test_merge_bot.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `re-actors/alls-green` pinned to mutable ref `@release/v1`: `uses: re-actors/alls-green@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143383, "scanner": "repobility-supply-chain", "fingerprint": "e27804245bfb96a1fde3982fb26a5ae96612e7806c39115db2dab4ee6088c08b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e27804245bfb96a1fde3982fb26a5ae96612e7806c39115db2dab4ee6088c08b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ci_suite.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `repo-sync/pull-request` pinned to mutable ref `@v2`: `uses: repo-sync/pull-request@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143382, "scanner": "repobility-supply-chain", "fingerprint": "6a4cc6cf96b5526f106970a5240cd70ff224221944a83421bf05a8416d97df04", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6a4cc6cf96b5526f106970a5240cd70ff224221944a83421bf05a8416d97df04"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update_tgs_dmapi.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v3.2.0`: `uses: actions/create-github-app-token@v3.2.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143381, "scanner": "repobility-supply-chain", "fingerprint": "31fb5083b92619b027d039dd04ee06d827af7be683e1fdd68bb4417b16700717", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|31fb5083b92619b027d039dd04ee06d827af7be683e1fdd68bb4417b16700717"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update_tgs_dmapi.yml"}, "region": {"startLine": 43}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `tgstation/tgs-dmapi-updater` pinned to mutable ref `@v2`: `uses: tgstation/tgs-dmapi-updater@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143380, "scanner": "repobility-supply-chain", "fingerprint": "56af722aa3895999f2ca115184fb0c796169ae03de87a04596874e8aa321ede1", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56af722aa3895999f2ca115184fb0c796169ae03de87a04596874e8aa321ede1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update_tgs_dmapi.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143379, "scanner": "repobility-supply-chain", "fingerprint": "37575d7eb4a2c37e2dc1af2e9ecc008db7977cca2c1836cf132375fceb6f7303", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|37575d7eb4a2c37e2dc1af2e9ecc008db7977cca2c1836cf132375fceb6f7303"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/update_tgs_dmapi.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v9`: `uses: actions/github-script@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143378, "scanner": "repobility-supply-chain", "fingerprint": "8910dfb8d7066edae5b85446f89bfa9a3ca9b4d288d56dfc53bad264e49ceb7b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8910dfb8d7066edae5b85446f89bfa9a3ca9b4d288d56dfc53bad264e49ceb7b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove_guide_comments.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 143377, "scanner": "repobility-supply-chain", "fingerprint": "12dc8fa100ebe853708e2a9fbfaf8baa2bf26c2923c548a2f5f55d04b2f0556d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12dc8fa100ebe853708e2a9fbfaf8baa2bf26c2923c548a2f5f55d04b2f0556d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/remove_guide_comments.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bullseye-slim` not pinned by digest: `FROM debian:bullseye-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 143376, "scanner": "repobility-supply-chain", "fingerprint": "d92a3d4fa638d13c4735ca994bfaeec36189a3b356290cb21c325e137406afa9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d92a3d4fa638d13c4735ca994bfaeec36189a3b356290cb21c325e137406afa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts-api/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `debian:bullseye-slim` not pinned by digest: `FROM debian:bullseye-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 143375, "scanner": "repobility-supply-chain", "fingerprint": "3824960d4a3e08f30b665a607742d0c7d1484ee1efaa7c4d062d657a7e214ba8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3824960d4a3e08f30b665a607742d0c7d1484ee1efaa7c4d062d657a7e214ba8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts/Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `ubuntu:xenial` not pinned by digest: `FROM ubuntu:xenial` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 143374, "scanner": "repobility-supply-chain", "fingerprint": "eee56cdd2f10a1c3d486a98c68720885efcf5734e49756888c20935b489e2cc8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|eee56cdd2f10a1c3d486a98c68720885efcf5734e49756888c20935b489e2cc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 2}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.raise_error` used but never assigned in __init__: Method `parse_pop` of class `DMMParser` reads `self.raise_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143367, "scanner": "repobility-ast-engine", "fingerprint": "120cd9fdf9a786761e6f9de5fdab10ea251901d851d80962f24c538771e597a9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|120cd9fdf9a786761e6f9de5fdab10ea251901d851d80962f24c538771e597a9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/dmm.py"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.next_line` used but never assigned in __init__: Method `parse_pop` of class `DMMParser` reads `self.next_line`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143366, "scanner": "repobility-ast-engine", "fingerprint": "663bcda56ae3552871399cac0b8f6aab755c053ae4c69216c5d026c74fa80dfa", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|663bcda56ae3552871399cac0b8f6aab755c053ae4c69216c5d026c74fa80dfa"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/dmm.py"}, "region": {"startLine": 82}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.raise_error` used but never assigned in __init__: Method `parse_pop` of class `DMMParser` reads `self.raise_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143365, "scanner": "repobility-ast-engine", "fingerprint": "205f4f3101c0635327ce57e4b1180638215946175e3718670749aa062cb57234", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|205f4f3101c0635327ce57e4b1180638215946175e3718670749aa062cb57234"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/dmm.py"}, "region": {"startLine": 77}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.next_line` used but never assigned in __init__: Method `parse_pop` of class `DMMParser` reads `self.next_line`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143364, "scanner": "repobility-ast-engine", "fingerprint": "235d83f58f4b33e745c892db29cb519cd7cf0f050612bfa185b17202b9f76208", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|235d83f58f4b33e745c892db29cb519cd7cf0f050612bfa185b17202b9f76208"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/dmm.py"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.raise_error` used but never assigned in __init__: Method `parse` of class `DMMParser` reads `self.raise_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143363, "scanner": "repobility-ast-engine", "fingerprint": "adbf976dc1d10270681ff2c2dec9aec7e947457121d5731ec5c7d45aa0175ebd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|adbf976dc1d10270681ff2c2dec9aec7e947457121d5731ec5c7d45aa0175ebd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/dmm.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parse_row` used but never assigned in __init__: Method `parse` of class `DMMParser` reads `self.parse_row`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143362, "scanner": "repobility-ast-engine", "fingerprint": "9d205487e68b975677bfe6a158c81a1b4e9cd5fdf53321afb4b95f662d27a833", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9d205487e68b975677bfe6a158c81a1b4e9cd5fdf53321afb4b95f662d27a833"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/dmm.py"}, "region": {"startLine": 55}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.parse_pop` used but never assigned in __init__: Method `parse` of class `DMMParser` reads `self.parse_pop`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143361, "scanner": "repobility-ast-engine", "fingerprint": "c085e94c2398a7d408cca2e9a950bb0d5433366ed4f7a11c7198b2e46a4ce0af", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|c085e94c2398a7d408cca2e9a950bb0d5433366ed4f7a11c7198b2e46a4ce0af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/dmm.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.raise_error` used but never assigned in __init__: Method `parse` of class `DMMParser` reads `self.raise_error`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143360, "scanner": "repobility-ast-engine", "fingerprint": "48b37fb0603a1190fc31f99bcf8ad682b5aeeb249ae27c62292be2ec6720ac29", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|48b37fb0603a1190fc31f99bcf8ad682b5aeeb249ae27c62292be2ec6720ac29"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/dmm.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.next_line` used but never assigned in __init__: Method `parse` of class `DMMParser` reads `self.next_line`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143359, "scanner": "repobility-ast-engine", "fingerprint": "4af957367da5ce9ccf53bf7fb79e0347a7c99b765a892c549255bed1f194d2e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|4af957367da5ce9ccf53bf7fb79e0347a7c99b765a892c549255bed1f194d2e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/dmm.py"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._frame_index` used but never assigned in __init__: Method `get_frame` of class `State` reads `self._frame_index`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143352, "scanner": "repobility-ast-engine", "fingerprint": "233efb295c6643ce143157c5584f818a32f146728b34fe95ac9d493a1d5d19e1", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|233efb295c6643ce143157c5584f818a32f146728b34fe95ac9d493a1d5d19e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/dmi/__init__.py"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.framecount` used but never assigned in __init__: Method `hotspot` of class `State` reads `self.framecount`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143351, "scanner": "repobility-ast-engine", "fingerprint": "1ee66b025fdc21193430e815dc76d3e595fe20d832b1e3fdb25579317624eb11", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|1ee66b025fdc21193430e815dc76d3e595fe20d832b1e3fdb25579317624eb11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/dmi/__init__.py"}, "region": {"startLine": 207}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.framecount` used but never assigned in __init__: Method `hotspot` of class `State` reads `self.framecount`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143350, "scanner": "repobility-ast-engine", "fingerprint": "9958d42659b7b8339d93755573ddb00c0fcecd6638fa449168a0e21da594cbf0", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9958d42659b7b8339d93755573ddb00c0fcecd6638fa449168a0e21da594cbf0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/dmi/__init__.py"}, "region": {"startLine": 208}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._assemble_comment` used but never assigned in __init__: Method `to_file` of class `Dmi` reads `self._assemble_comment`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143349, "scanner": "repobility-ast-engine", "fingerprint": "91fbfc54e28727d373eccb9b928de9add2cc45ed1afce85996f159eba97488ce", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|91fbfc54e28727d373eccb9b928de9add2cc45ed1afce85996f159eba97488ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/dmi/__init__.py"}, "region": {"startLine": 157}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.overwrite_key` used but never assigned in __init__: Method `_presave_checks` of class `DMM` reads `self.overwrite_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143346, "scanner": "repobility-ast-engine", "fingerprint": "6d9cba336450d6eedb46ec72f57f0fd9f5d67680dee1cd7b2141dfadc31f698e", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6d9cba336450d6eedb46ec72f57f0fd9f5d67680dee1cd7b2141dfadc31f698e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/dmm.py"}, "region": {"startLine": 113}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generate_new_key` used but never assigned in __init__: Method `_presave_checks` of class `DMM` reads `self.generate_new_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143345, "scanner": "repobility-ast-engine", "fingerprint": "abb34a4aa39972442a65a1b2ac616f4ddf48a492e1e7cb07aa9cb86148764fab", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|abb34a4aa39972442a65a1b2ac616f4ddf48a492e1e7cb07aa9cb86148764fab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/dmm.py"}, "region": {"startLine": 103}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.reassign_bad_keys` used but never assigned in __init__: Method `_presave_checks` of class `DMM` reads `self.reassign_bad_keys`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143344, "scanner": "repobility-ast-engine", "fingerprint": "790bf3a7dc79cd8f5dfcc02ef0c07e35ff5da09104b66af58c8d5502bb515929", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|790bf3a7dc79cd8f5dfcc02ef0c07e35ff5da09104b66af58c8d5502bb515929"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/dmm.py"}, "region": {"startLine": 115}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_free_keys` used but never assigned in __init__: Method `_presave_checks` of class `DMM` reads `self._ensure_free_keys`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143343, "scanner": "repobility-ast-engine", "fingerprint": "637c45a20be540d542eb822c2fd1908024114e5cf8e2b0c9a09975108bb8618b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|637c45a20be540d542eb822c2fd1908024114e5cf8e2b0c9a09975108bb8618b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/dmm.py"}, "region": {"startLine": 96}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._ensure_free_keys` used but never assigned in __init__: Method `generate_new_key` of class `DMM` reads `self._ensure_free_keys`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143342, "scanner": "repobility-ast-engine", "fingerprint": "ae28ef9d0b40baf69e3e4febde76a0249619b8122f9b3ebfe88fd1a0c5d14da6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|ae28ef9d0b40baf69e3e4febde76a0249619b8122f9b3ebfe88fd1a0c5d14da6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/dmm.py"}, "region": {"startLine": 61}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.get_or_generate_key` used but never assigned in __init__: Method `set_tile` of class `DMM` reads `self.get_or_generate_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143341, "scanner": "repobility-ast-engine", "fingerprint": "9dea3e9d5bc3fc9ccb33119fa40c25ee7a4479cac251c9b5b9c324d3af26fd5b", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|9dea3e9d5bc3fc9ccb33119fa40c25ee7a4479cac251c9b5b9c324d3af26fd5b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/dmm.py"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.generate_new_key` used but never assigned in __init__: Method `get_or_generate_key` of class `DMM` reads `self.generate_new_key`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143340, "scanner": "repobility-ast-engine", "fingerprint": "8c779210af4a874d511b8bf9707dcfccf0fe91021485f5bb09a2f55555022916", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8c779210af4a874d511b8bf9707dcfccf0fe91021485f5bb09a2f55555022916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/dmm.py"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._presave_checks` used but never assigned in __init__: Method `to_bytes` of class `DMM` reads `self._presave_checks`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143339, "scanner": "repobility-ast-engine", "fingerprint": "497ed22559d8b80e751eb7a05f375fd1aac33a6a6145acc0e521e2d4c17173c8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|497ed22559d8b80e751eb7a05f375fd1aac33a6a6145acc0e521e2d4c17173c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/dmm.py"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self._presave_checks` used but never assigned in __init__: Method `to_file` of class `DMM` reads `self._presave_checks`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143338, "scanner": "repobility-ast-engine", "fingerprint": "8cef42b786b8c482782cc9f32644dc22f4b7dc7558ea2f39db9066d67e500615", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|8cef42b786b8c482782cc9f32644dc22f4b7dc7558ea2f39db9066d67e500615"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/dmm.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `CORSRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143335, "scanner": "repobility-ast-engine", "fingerprint": "269f332004bccdb956ae988242573b0dde5fa9037fbb5319f892d6a64642a36c", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|269f332004bccdb956ae988242573b0dde5fa9037fbb5319f892d6a64642a36c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/localhost-asset-webroot-server.py"}, "region": {"startLine": 9}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `CORSRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143334, "scanner": "repobility-ast-engine", "fingerprint": "efd779fb989d160080e32085955eceb9f081bdb0c938decc68cafcddd1064b11", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|efd779fb989d160080e32085955eceb9f081bdb0c938decc68cafcddd1064b11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/localhost-asset-webroot-server.py"}, "region": {"startLine": 8}}}]}, {"ruleId": "MINED108", "level": "error", "message": {"text": "[MINED108] `self.send_header` used but never assigned in __init__: Method `end_headers` of class `CORSRequestHandler` reads `self.send_header`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance."}, "properties": {"repobilityId": 143333, "scanner": "repobility-ast-engine", "fingerprint": "6217f558ba37c6218d271d23edc28661365a29660d28f00dad480f4f3fe62540", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "self-attr-never-set", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["python"], "observations_count": 25998}, "scanner": "repobility-ast-engine", "correlation_key": "fp|6217f558ba37c6218d271d23edc28661365a29660d28f00dad480f4f3fe62540"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/localhost-asset-webroot-server.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 143318, "scanner": "repobility-docker", "fingerprint": "980f7c9c30fcc981b9c33820511a707ceadc8b27fbaf1b9807b42d2d6948e964", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|980f7c9c30fcc981b9c33820511a707ceadc8b27fbaf1b9807b42d2d6948e964"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKR006", "level": "error", "message": {"text": "Dockerfile pipes a remote script into a shell"}, "properties": {"repobilityId": 143294, "scanner": "repobility-docker", "fingerprint": "c13f9ac57642d236c6849dc53ef44d93146adb16f413270e44ad0f155eb4aa61", "category": "docker", "severity": "high", "confidence": 0.92, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "RUN instruction contains curl/wget piped into a shell.", "evidence": {"rule_id": "DKR006", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c13f9ac57642d236c6849dc53ef44d93146adb16f413270e44ad0f155eb4aa61"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 143263, "scanner": "repobility-threat-engine", "fingerprint": "f5d569a7f8456ab37c1a239f29f73cad4af49c2e5c412ede0647b750443672bf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f5d569a7f8456ab37c1a239f29f73cad4af49c2e5c412ede0647b750443672bf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/frontend.py"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED006", "level": "error", "message": {"text": "[MINED006] Overcatch Baseexception: except BaseException: ... \u2014 prevents Ctrl+C and SystemExit from working."}, "properties": {"repobilityId": 143262, "scanner": "repobility-threat-engine", "fingerprint": "f2fcc979f6ffe50fc2babf882990602519fb9e43d5c7600a9c8e7360836b8f08", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "overcatch-baseexception", "owasp": null, "cwe_ids": ["CWE-705"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347911+00:00", "triaged_in_corpus": 15, "observations_count": 230624, "ai_coder_pattern_id": 8}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f2fcc979f6ffe50fc2babf882990602519fb9e43d5c7600a9c8e7360836b8f08"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/__main__.py"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 143261, "scanner": "repobility-threat-engine", "fingerprint": "6c28b09a73e676e0f4117a4c2510621ea56c130e718640b8f2964aec7499473d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6c28b09a73e676e0f4117a4c2510621ea56c130e718640b8f2964aec7499473d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/localhost-asset-webroot-server.py"}, "region": {"startLine": 7}}}]}, {"ruleId": "MINED034", "level": "error", "message": {"text": "[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection."}, "properties": {"repobilityId": 143259, "scanner": "repobility-threat-engine", "fingerprint": "3f3972a948c2da2c308c727d9c8caa14b85b7006ba19c943087836c9aa77458d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-subprocess-shell-true", "owasp": null, "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347977+00:00", "triaged_in_corpus": 15, "observations_count": 3478, "ai_coder_pattern_id": 118}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f3972a948c2da2c308c727d9c8caa14b85b7006ba19c943087836c9aa77458d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/icon_cutter/check.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 143251, "scanner": "repobility-threat-engine", "fingerprint": "26034aafd71f70c076993cfef48963bddf01c9dee2344f8ab265ee23d48e8478", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.get(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|26034aafd71f70c076993cfef48963bddf01c9dee2344f8ab265ee23d48e8478"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts-api/tts-api.py"}, "region": {"startLine": 33}}}]}, {"ruleId": "SEC078", "level": "error", "message": {"text": "[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-2.0). NOTE: this regex is heuristic; a real AST check is preferred for accuracy."}, "properties": {"repobilityId": 143250, "scanner": "repobility-threat-engine", "fingerprint": "8a30a1659a5d5a06d88c025a38f8a815169a8617d2d015adfbfd93cd79b9db93", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "requests.put(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC078", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8a30a1659a5d5a06d88c025a38f8a815169a8617d2d015adfbfd93cd79b9db93"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/discordRoleScript/Script.py"}, "region": {"startLine": 52}}}]}, {"ruleId": "SEC114", "level": "error", "message": {"text": "[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../etc/passwd` resolves cleanly."}, "properties": {"repobilityId": 143249, "scanner": "repobility-threat-engine", "fingerprint": "1a813aab558dbcfe96135eb63d8a3e06bf4266204641e039a9ab9fb4e5e0d5d5", "category": "path_traversal", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "path.join(\"bad-screenshots\", \"pull_request", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC114", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|path_traversal|token|102|sec114"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ci/show_screenshot_test_results.js"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 143248, "scanner": "repobility-threat-engine", "fingerprint": "d15c75eb006b594df1744c9e2eaaf75133bf0011bb2d0119a1fbce076ece83fe", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d15c75eb006b594df1744c9e2eaaf75133bf0011bb2d0119a1fbce076ece83fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tgs_scripts/PreCompile.sh"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 143247, "scanner": "repobility-threat-engine", "fingerprint": "da7acdf4cd04fc63033dd3d7830ba7a1cea7d2ca2963abe6f2388b5f00911a23", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|da7acdf4cd04fc63033dd3d7830ba7a1cea7d2ca2963abe6f2388b5f00911a23"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tgs_scripts/InstallDeps.sh"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED012", "level": "error", "message": {"text": "[MINED012] Curl Pipe Bash: curl ... | sh / bash \u2014 runs unverified network code."}, "properties": {"repobilityId": 143246, "scanner": "repobility-threat-engine", "fingerprint": "73c8e555e97806abf9521a004d29565c244e8efb2e52707316206a8529262ac2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "curl-pipe-bash", "owasp": "A08:2021", "cwe_ids": ["CWE-494"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347926+00:00", "triaged_in_corpus": 15, "observations_count": 135001, "ai_coder_pattern_id": 25}, "scanner": "repobility-threat-engine", "correlation_key": "fp|73c8e555e97806abf9521a004d29565c244e8efb2e52707316206a8529262ac2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/bootstrap/javascript.sh"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 143237, "scanner": "repobility-threat-engine", "fingerprint": "48042dc7e49c1d22698eea3421748fe41078896d080bad6f695a82d4f29fbfa4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|48042dc7e49c1d22698eea3421748fe41078896d080bad6f695a82d4f29fbfa4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/mapmerge2/mapmerge.py"}, "region": {"startLine": 34}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 143236, "scanner": "repobility-threat-engine", "fingerprint": "ef9a3946f203417ea9a548f64e49484f98767afa3957575fd263da2f9dd8baec", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ef9a3946f203417ea9a548f64e49484f98767afa3957575fd263da2f9dd8baec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/maplint/source/error.py"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED001", "level": "error", "message": {"text": "[MINED001] Bare Except Pass: except: pass or except Exception: pass \u2014 silently swallows everything including KeyboardInterrupt and bugs."}, "properties": {"repobilityId": 143235, "scanner": "repobility-threat-engine", "fingerprint": "250c15372a3428ba55261d939080de77362d08ecbffc127ca0383018ee0c2faf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "bare-except-pass", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347744+00:00", "triaged_in_corpus": 15, "observations_count": 1550824, "ai_coder_pattern_id": 6}, "scanner": "repobility-threat-engine", "correlation_key": "fp|250c15372a3428ba55261d939080de77362d08ecbffc127ca0383018ee0c2faf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/HitboxExpander/__main__.py"}, "region": {"startLine": 87}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 143231, "scanner": "repobility-threat-engine", "fingerprint": "1442e910503f426f45aadb3b0926e7edff9ca9597eb7408575d39b2a9a8698fb", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|1442e910503f426f45aadb3b0926e7edff9ca9597eb7408575d39b2a9a8698fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/PortraitPicker.jsx"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 143230, "scanner": "repobility-threat-engine", "fingerprint": "459f010baa8639fd0e583738ffa4091e7aec835b13dbc4309c3a8f14b949c9fd", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|459f010baa8639fd0e583738ffa4091e7aec835b13dbc4309c3a8f14b949c9fd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/PaintingAdminPanel.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 143229, "scanner": "repobility-threat-engine", "fingerprint": "3d2b3d50ac2d066e409dd26adfa744325c64deb8cf22b7f64a9126f217b99ea6", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3d2b3d50ac2d066e409dd26adfa744325c64deb8cf22b7f64a9126f217b99ea6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/NtosPortraitPrinter.jsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 143204, "scanner": "repobility-threat-engine", "fingerprint": "6d9ef453fe081bf16e1ed61db67ee470b5e8fdbaa7cf71778e56552979a62d63", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(parts", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|6d9ef453fe081bf16e1ed61db67ee470b5e8fdbaa7cf71778e56552979a62d63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Interview.tsx"}, "region": {"startLine": 47}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 143203, "scanner": "repobility-threat-engine", "fingerprint": "d29033fdd872322da050dd51f8579ba12b807965ec0e35a1f8ea9387676ffcf8", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(text", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d29033fdd872322da050dd51f8579ba12b807965ec0e35a1f8ea9387676ffcf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-panel/chat/replaceInTextNode.ts"}, "region": {"startLine": 40}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 143202, "scanner": "repobility-threat-engine", "fingerprint": "41225001f3ed31205532b2fdd13efca0e8bd9fad6475ab6862578451438aa413", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(str", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|41225001f3ed31205532b2fdd13efca0e8bd9fad6475ab6862578451438aa413"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/LogViewer.tsx"}, "region": {"startLine": 146}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 143201, "scanner": "repobility-threat-engine", "fingerprint": "ab63e2f89372566c4fc9b7d01de46b803a65bc727b4af37f54baeafba28df1c9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(highlightRegex", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ab63e2f89372566c4fc9b7d01de46b803a65bc727b4af37f54baeafba28df1c9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-panel/settings/TextHighlight.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 143200, "scanner": "repobility-threat-engine", "fingerprint": "be2092d3d35eace3598d19d87ad651369d4bd52504ca53662d6995d744c11448", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(wordRegexStr", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|be2092d3d35eace3598d19d87ad651369d4bd52504ca53662d6995d744c11448"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-panel/chat/replaceInTextNode.ts"}, "region": {"startLine": 120}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 143184, "scanner": "repobility-threat-engine", "fingerprint": "36d9868ded01d016e69085c4c73bad32269682518936a84e9e7fe24033d12fb1", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n                                ([varName, tooltip]) =>\n                                  `%${v", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|36d9868ded01d016e69085c4c73bad32269682518936a84e9e7fe24033d12fb1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AutomatedAnnouncement.tsx"}, "region": {"startLine": 96}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 143183, "scanner": "repobility-threat-engine", "fingerprint": "dd0a07d5236dd67301f00e402ac91d60a192ef8091b4507cba74ac9ef0990875", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((x) => `${x.name} (${x.type}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dd0a07d5236dd67301f00e402ac91d60a192ef8091b4507cba74ac9ef0990875"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/AppearanceDebug/AppearanceInfo.tsx"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 143182, "scanner": "repobility-threat-engine", "fingerprint": "e6498b039a874ddec7dc1e4bbc3a008fbf4f379365c3c4021fd10fc6894cd022", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map(\n        (key) =>\n          `${encodeURIComponent(key)}=${encodeURIComponent(params[key])}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e6498b039a874ddec7dc1e4bbc3a008fbf4f379365c3c4021fd10fc6894cd022"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/dreamseeker.ts"}, "region": {"startLine": 38}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 143172, "scanner": "repobility-threat-engine", "fingerprint": "fc854c87824df99c518e68ecbe722b4af76935b0a41a6a9a97a44f98467b9f60", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "this.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc854c87824df99c518e68ecbe722b4af76935b0a41a6a9a97a44f98467b9f60"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-panel/audio/player.ts"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 143171, "scanner": "repobility-threat-engine", "fingerprint": "d865ca569ccad5b6361dcc19547a5ee0ee2ba19a5b9a259f776c8459361b677f", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map.consumer.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d865ca569ccad5b6361dcc19547a5ee0ee2ba19a5b9a259f776c8459361b677f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui-dev-server/link/retrace.ts"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 143170, "scanner": "repobility-threat-engine", "fingerprint": "7bc636a8506cfb1865c515ad57710dd1e2b7a63d364700c99d65fcef32617c1d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "iframe.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7bc636a8506cfb1865c515ad57710dd1e2b7a63d364700c99d65fcef32617c1d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/common/storage.ts"}, "region": {"startLine": 183}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 143167, "scanner": "repobility-threat-engine", "fingerprint": "2de3d2a0520bc8e10aec799186e34e16e9fdb27da81a7f4c24f526da03d934c8", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(r\"time=([0-9:\\\\.]+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|62|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/tts/tts-api/tts-api.py"}, "region": {"startLine": 62}}}]}, {"ruleId": "SEC103", "level": "error", "message": {"text": "[SEC103] LDAP injection \u2014 non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts."}, "properties": {"repobilityId": 143166, "scanner": "repobility-threat-engine", "fingerprint": "7eae9295d634be483e3346c426fb172232e1a2b82b7f27d15101e978980a6f5f", "category": "injection", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".search(\"\\tkey = \\\"(.+)", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC103", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|66|sec103"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "SQL/populate_key_2018-07-09.py"}, "region": {"startLine": 66}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `find_lone_arrays` has cognitive complexity 56 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=11, elif=1, if=16, nested_bonus=26, ternary=1, while=1."}, "properties": {"repobilityId": 143157, "scanner": "repobility-threat-engine", "fingerprint": "5524a37f27e13c4e94da69b992874b73f89a55c3eac8c33408f5832bdb9501c5", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 56 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "find_lone_arrays", "breakdown": {"if": 16, "elif": 1, "while": 1, "ternary": 1, "continue": 11, "nested_bonus": 26}, "complexity": 56, "correlation_key": "fp|5524a37f27e13c4e94da69b992874b73f89a55c3eac8c33408f5832bdb9501c5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/CatchUnescapedBrackets/__main__.py"}, "region": {"startLine": 10}}}]}, {"ruleId": "COMP001", "level": "error", "message": {"text": "[COMP001] High cognitive complexity: Function `parse_text_flags` has cognitive complexity 50 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand \u2014 nested branches, boolean chains, and recursion all weigh in. Breakdown: continue=2, elif=6, for=1, if=7, nested_bonus=34."}, "properties": {"repobilityId": 143155, "scanner": "repobility-threat-engine", "fingerprint": "611b4c8e5c1781211ac5684c1ec4135f333b593d7f57703862c835b9cbeba351", "category": "quality", "severity": "high", "confidence": 0.95, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "AST-derived cognitive complexity score = 50 (severity threshold for high: 25+).", "evidence": {"scanner": "repobility-threat-engine", "function": "parse_text_flags", "breakdown": {"if": 7, "for": 1, "elif": 6, "continue": 2, "nested_bonus": 34}, "complexity": 50, "correlation_key": "fp|611b4c8e5c1781211ac5684c1ec4135f333b593d7f57703862c835b9cbeba351"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "SQL/admin_import_2018-02-03.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 143153, "scanner": "repobility-threat-engine", "fingerprint": "0bdc4321be8343c039d47a75c9c895f8cd71d001788dcb28d05558570fcd83ab", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(\"SELECT ckey FROM {0}{1}\".format(", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|53|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "SQL/populate_key_2018-07-09.py"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 143152, "scanner": "repobility-threat-engine", "fingerprint": "9b7cc67d539bf8b9567fb9b69ca367b83b67de955d3e82a5fa1b715a93566b4a", "category": "injection", "severity": "high", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "evidence": {"match": ".execute(\"INSERT INTO {0} (rank, flags, exclude_flags, can_edit_flags) VALUES ('{1}', {2}, {3}, {4})", "reason": "SQL string interpolation found, but user-controlled taint was not proven from local context.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.5, "correlation_key": "code|injection|token|85|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "SQL/admin_import_2018-02-03.py"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC004", "level": "error", "message": {"text": "[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection."}, "properties": {"repobilityId": 143151, "scanner": "repobility-threat-engine", "fingerprint": "90554d4a96c340ef8fd32d0ffbb4ed2ed54da3bb551158710d5afce4b680edd2", "category": "injection", "severity": "high", "confidence": 0.85, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "evidence": {"match": ".execute(\"TRUNCATE {0} \".format(", "reason": "SQL string interpolation is near request/data/parameter input; user-controlled taint is plausible.", "rule_id": "SEC004", "scanner": "repobility-threat-engine", "confidence": 0.85, "correlation_key": "code|injection|token|172|sec004"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "SQL/ban_conversion_2018-10-28.py"}, "region": {"startLine": 172}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DISCORD_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DISCORD_WEBHOOK }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 143403, "scanner": "repobility-supply-chain", "fingerprint": "9ba7754791d32a6ae19d967c02b4c0d48b34079c57d367ffdce04d97628c075e", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ba7754791d32a6ae19d967c02b4c0d48b34079c57d367ffdce04d97628c075e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DISCORD_WEBHOOK` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DISCORD_WEBHOOK }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 143402, "scanner": "repobility-supply-chain", "fingerprint": "2cad43be3f6d8c5a5d68b4dceda53098b33f1f33ad55d891315221a3ab35e0d4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2cad43be3f6d8c5a5d68b4dceda53098b33f1f33ad55d891315221a3ab35e0d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale.yml"}, "region": {"startLine": 64}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 143323, "scanner": "repobility-docker", "fingerprint": "a0def2d9aaad17553f891feb336c3841e9eaa0018c705fc69f69bf3eb2e0a678", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "tgs", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|a0def2d9aaad17553f891feb336c3841e9eaa0018c705fc69f69bf3eb2e0a678", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 143317, "scanner": "repobility-docker", "fingerprint": "3c73d4c6451f495ab5d9cac450b187d016947100c02d8c0385fec9374cd80638", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mariadb", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|3c73d4c6451f495ab5d9cac450b187d016947100c02d8c0385fec9374cd80638", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/LinuxOneShot/docker-compose.yml"}, "region": {"startLine": 2}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 143310, "scanner": "repobility-docker", "fingerprint": "01b2247c8d5b64bcc4b51731f2c1c6e198ff4aab8bb8c292d3d304685fc0f073", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "db", "variable": "MYSQL_RANDOM_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|01b2247c8d5b64bcc4b51731f2c1c6e198ff4aab8bb8c292d3d304685fc0f073", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/docker-compose.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED030", "level": "error", "message": {"text": "[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__."}, "properties": {"repobilityId": 143267, "scanner": "repobility-threat-engine", "fingerprint": "7cddf66d0cdf4022e74d0d805fa827237b15c748c0a9fe6d799d5ba4e3d60916", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "python-pickle-loads", "owasp": null, "cwe_ids": ["CWE-502"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347968+00:00", "triaged_in_corpus": 20, "observations_count": 6314, "ai_coder_pattern_id": 119}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7cddf66d0cdf4022e74d0d805fa827237b15c748c0a9fe6d799d5ba4e3d60916"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/minibot/minibot.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "SEC081", "level": "error", "message": {"text": "[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3)."}, "properties": {"repobilityId": 143266, "scanner": "repobility-threat-engine", "fingerprint": "528e08d11949c393e9a1fcb305a733eddbdf578aa731582d608ff03e17cd5efc", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "pickle.loads(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC081", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|528e08d11949c393e9a1fcb305a733eddbdf578aa731582d608ff03e17cd5efc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/minibot/minibot.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED102", "level": "error", "message": {"text": "[MINED102] Shell Injection Via F-string: Shell command built via f-string or .format with non-constant input \u2014 command injection. An attacker controlling any interpolated value can execute arbitrary shell commands."}, "properties": {"repobilityId": 143260, "scanner": "repobility-threat-engine", "fingerprint": "59fd8b12ed03dfc36e7104c1fa7d79301d50f4e0cc972353e6be8c4cc8645090", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "shell-injection-format", "owasp": "A03:2021", "cwe_ids": ["CWE-78"], "languages": ["python"], "precision": 1.0, "promoted_at": "2026-05-19T13:00:00.000000+00:00", "triaged_in_corpus": 1, "observations_count": 175, "ai_coder_pattern_id": 11}, "scanner": "repobility-threat-engine", "correlation_key": "fp|59fd8b12ed03dfc36e7104c1fa7d79301d50f4e0cc972353e6be8c4cc8645090"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/icon_cutter/check.py"}, "region": {"startLine": 105}}}]}, {"ruleId": "SEC001", "level": "error", "message": {"text": "[SEC001] Hardcoded Password: Hardcoded password found in source code."}, "properties": {"repobilityId": 143233, "scanner": "repobility-threat-engine", "fingerprint": "d8f583c72680b0f5014b1b88c979f6cfd20ff63aebba0c5b73a4544f2cfbeb39", "category": "credential_exposure", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "High entropy value (4.2 bits) \u2014 likely real secret", "evidence": {"match": "DB_PASS=\"${DB_PASS:-gamelord}\"", "reason": "High entropy value (4.2 bits) \u2014 likely real secret", "rule_id": "SEC001", "scanner": "repobility-threat-engine", "confidence": 0.9, "correlation_key": "secret|token|3|db_pass db_pass:-gamelord"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/DockerTestServer/entrypoint.sh"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 143217, "scanner": "repobility-threat-engine", "fingerprint": "eced1c4845843738f8644c8d3d2d9835620a03be65368a1a11e1d897fac05dbf", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|eced1c4845843738f8644c8d3d2d9835620a03be65368a1a11e1d897fac05dbf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ss13_genchangelog.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 143216, "scanner": "repobility-threat-engine", "fingerprint": "555243b71137f9879bd7cf44ae017b5212b83047489baeb2bc5fda95f6c493ba", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|555243b71137f9879bd7cf44ae017b5212b83047489baeb2bc5fda95f6c493ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/minibot/minibot.py"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED018", "level": "error", "message": {"text": "[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data \u2014 RCE."}, "properties": {"repobilityId": 143215, "scanner": "repobility-threat-engine", "fingerprint": "009b3f0aed29c2daa02eba67453d1d64c1dd2db8dadcb059ebcfc71dc051e751", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "unsafe-deserialization-pickle", "owasp": "A08:2021", "cwe_ids": ["CWE-502"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347940+00:00", "triaged_in_corpus": 20, "observations_count": 58759, "ai_coder_pattern_id": 32}, "scanner": "repobility-threat-engine", "correlation_key": "fp|009b3f0aed29c2daa02eba67453d1d64c1dd2db8dadcb059ebcfc71dc051e751"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Changelog.jsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 143214, "scanner": "repobility-threat-engine", "fingerprint": "513184d9d4ac4de12be7aa678a1a51443b3970c3e2f14b0efd559de3f7b53fc2", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|tools/ss13_genchangelog.py|118|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ss13_genchangelog.py"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC116", "level": "error", "message": {"text": "[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes \u2014 direct RCE on untrusted input. `unsafe_load` is even more dangerous."}, "properties": {"repobilityId": 143213, "scanner": "repobility-threat-engine", "fingerprint": "5b710ba964a8f367f25ef6d38f45fa28d3fad90a419eb06705e55cbb83ee67df", "category": "deserialization", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC116", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|deserialization|token|93|sec116"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Changelog.jsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "SEC079", "level": "error", "message": {"text": "[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-3)."}, "properties": {"repobilityId": 143212, "scanner": "repobility-threat-engine", "fingerprint": "f412121e14748b63145a22d091f8453bdb9dc3cb4d622fda54d0f29d2c1de6c6", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "yaml.load(result, { schema: yaml.CORE_SCHEMA })", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC079", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|f412121e14748b63145a22d091f8453bdb9dc3cb4d622fda54d0f29d2c1de6c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tgui/packages/tgui/interfaces/Changelog.jsx"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 143165, "scanner": "repobility-threat-engine", "fingerprint": "c0e43b747bab0779a7f84d120111b428b4c3c8f6573fede4ccd99a0e30606975", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c0e43b747bab0779a7f84d120111b428b4c3c8f6573fede4ccd99a0e30606975"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ezdb/steps/update_schema.py"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 143164, "scanner": "repobility-threat-engine", "fingerprint": "3f276ee9b23bb11bf71af66e72654f4fceb7fc8f50a719e0a3071f7fed84bbd2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3f276ee9b23bb11bf71af66e72654f4fceb7fc8f50a719e0a3071f7fed84bbd2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tools/ezdb/steps/install_initial_schema.py"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED007", "level": "error", "message": {"text": "[MINED007] Sql String Concat: cursor.execute(f\"... {user_input} ...\") \u2014 SQL injection."}, "properties": {"repobilityId": 143163, "scanner": "repobility-threat-engine", "fingerprint": "982db5f9cfacc09743c26028d4dfb59d12889306b87b9c2d082a4e41ac10c85c", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "sql-string-concat", "owasp": "A03:2021", "cwe_ids": ["CWE-89"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347914+00:00", "triaged_in_corpus": 20, "observations_count": 210457, "ai_coder_pattern_id": 12}, "scanner": "repobility-threat-engine", "correlation_key": "fp|982db5f9cfacc09743c26028d4dfb59d12889306b87b9c2d082a4e41ac10c85c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "SQL/ban_conversion_2018-10-28.py"}, "region": {"startLine": 125}}}]}]}]}