{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "CFG006", "name": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.", "shortDescription": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "fullDescription": {"text": "Add a .gitignore appropriate for your language/framework."}, "properties": {"scanner": "repobility-threat-engine", "category": "practices", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "AIC006", "name": "Archive or legacy directory is mixed into the active repository root", "shortDescription": {"text": "Archive or legacy directory is mixed into the active repository root"}, "fullDescription": {"text": "Move archived code out of the active repository, mark it with .repobilityignore, or document exactly why it must stay and how scanners should treat it."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_LICENSE", "name": "No LICENSE file", "shortDescription": {"text": "No LICENSE file"}, "fullDescription": {"text": "Add a LICENSE file to your repository. Use choosealicense.com to pick the right license (MIT for permissive, Apache 2.0 for patent protection, GPL for copyleft)."}, "properties": {"scanner": "repobility-core", "category": "documentation", "severity": "low", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found in a documentation, catalog, or template-heavy repository", "shortDescription": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "fullDescription": {"text": "If this repository ships runnable code, add focused tests for those examples or templates. If it is documentation/catalog content only, mark the finding as accepted or add a .repobilityignore note."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "info", "confidence": 0.35, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `webfactory/ssh-agent` pinned to mutable ref `@v0.9.0`: `uses: webfactory/ssh-agent@v0.9.0` resolves a", "shortDescription": {"text": "[MINED115] Action `webfactory/ssh-agent` pinned to mutable ref `@v0.9.0`: `uses: webfactory/ssh-agent@v0.9.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files comp"}, "fullDescription": {"text": "Replace with: `uses: webfactory/ssh-agent@<40-char-sha>  # v0.9.0` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.SSH_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.SSH_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SSH_PRIVATE_KEY }` lets a PR from any fork exfiltrate the se"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1375"}, "properties": {"repository": "nikgapps/config", "repoUrl": "https://github.com/nikgapps/config", "branch": "main"}, "results": [{"ruleId": "CFG006", "level": "warning", "message": {"text": "[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts."}, "properties": {"repobilityId": 140727, "scanner": "repobility-threat-engine", "fingerprint": "c65fc71ce58c37a0e07837c0fe294108b731c43ef16027a2f0971c757bbe9a16", "category": "practices", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "No .gitignore file found in repository root", "evidence": {"reason": "No .gitignore file found in repository root", "rule_id": "CFG006", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "repo|practices|cfg006"}}}, {"ruleId": "AIC006", "level": "note", "message": {"text": "Archive or legacy directory is mixed into the active repository root"}, "properties": {"repobilityId": 140728, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a7d2f4e50dd6f0a3ca0adfbcb9cb1f442d6b4ebfb1b14f4466301798c4f394e", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains an archive/legacy directory name.", "evidence": {"rule_id": "AIC006", "scanner": "repobility-ai-code-hygiene", "directory": "archive", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|0a7d2f4e50dd6f0a3ca0adfbcb9cb1f442d6b4ebfb1b14f4466301798c4f394e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "archive"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_NO_LICENSE", "level": "note", "message": {"text": "No LICENSE file"}, "properties": {"repobilityId": 140726, "scanner": "repobility-core", "fingerprint": "9314e9238cd99885865b92490d1aaa96ca62b1390c9377878d5f3d99227e1c3c", "category": "documentation", "severity": "low", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_LICENSE", "scanner": "repobility-core", "correlation_key": "repo|documentation|core_no_license"}}}, {"ruleId": "CORE_NO_TESTS", "level": "none", "message": {"text": "No test files found in a documentation, catalog, or template-heavy repository"}, "properties": {"repobilityId": 140725, "scanner": "repobility-core", "fingerprint": "69cfb3536a8ccff500ccafcd681fc8d4bc9f4eda6689da02ddec81654bd9fd15", "category": "testing", "severity": "info", "confidence": 0.35, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "evidence": {"reason": "Repository shape is documentation, catalog, skill, or template-heavy rather than a conventional runnable application.", "rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "confidence": 0.35, "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `webfactory/ssh-agent` pinned to mutable ref `@v0.9.0`: `uses: webfactory/ssh-agent@v0.9.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 140730, "scanner": "repobility-supply-chain", "fingerprint": "c14018aa62b4a3c269bf599e370328714e618d01d0640007954bce702d5c3a3f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c14018aa62b4a3c269bf599e370328714e618d01d0640007954bce702d5c3a3f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 140729, "scanner": "repobility-supply-chain", "fingerprint": "f2fea22d28662d3d3475a02f24aeb85c5d61ec82469d98e1f8dc6a2c8e77e297", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f2fea22d28662d3d3475a02f24aeb85c5d61ec82469d98e1f8dc6a2c8e77e297"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SSH_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SSH_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140741, "scanner": "repobility-supply-chain", "fingerprint": "990e08c5910ccff50b7ca2f9e5ebf96579e325289dae510a122212bfe810336d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|990e08c5910ccff50b7ca2f9e5ebf96579e325289dae510a122212bfe810336d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SSH_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SSH_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140740, "scanner": "repobility-supply-chain", "fingerprint": "f511048ce54050b880dbcdbabbceaf78056d8803c7db958304a220bdcde43f2b", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f511048ce54050b880dbcdbabbceaf78056d8803c7db958304a220bdcde43f2b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 26}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.MESSAGE_THREAD_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.MESSAGE_THREAD_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140739, "scanner": "repobility-supply-chain", "fingerprint": "fab924dbc8fed6b050ae4d38dc791a4c7ba1bc8fdebcbe589b57301ff3bf4d95", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fab924dbc8fed6b050ae4d38dc791a4c7ba1bc8fdebcbe589b57301ff3bf4d95"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TELEGRAM_CHAT_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TELEGRAM_CHAT_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140738, "scanner": "repobility-supply-chain", "fingerprint": "8e91c0b0209ae9e65ec38c30210ac9b0e4fa3dec694546dcc0b3d0c6cb5a098d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8e91c0b0209ae9e65ec38c30210ac9b0e4fa3dec694546dcc0b3d0c6cb5a098d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.TELEGRAM_BOT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.TELEGRAM_BOT_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140737, "scanner": "repobility-supply-chain", "fingerprint": "fc3fbce3103b535a29c420084c8c7d82f9b36c4587f134923493ba60b23b63d7", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|fc3fbce3103b535a29c420084c8c7d82f9b36c4587f134923493ba60b23b63d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 23}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.ENVIRONMENT_TYPE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.ENVIRONMENT_TYPE }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140736, "scanner": "repobility-supply-chain", "fingerprint": "6bc0bd57dbf958aa47a8e0f40472939d6c40333cf56e3196b29f81efefeb8f40", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6bc0bd57dbf958aa47a8e0f40472939d6c40333cf56e3196b29f81efefeb8f40"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SF_PWD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SF_PWD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140735, "scanner": "repobility-supply-chain", "fingerprint": "402e23bbc3d941196510ec0cef827287ba6ac264d0ce66e87385aff0155c054d", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|402e23bbc3d941196510ec0cef827287ba6ac264d0ce66e87385aff0155c054d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.EMAIL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.EMAIL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140734, "scanner": "repobility-supply-chain", "fingerprint": "98e1a4f9a042cfb62b98d90d30280f91664fb131b563efbfcbc51ea65982aa67", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|98e1a4f9a042cfb62b98d90d30280f91664fb131b563efbfcbc51ea65982aa67"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.USER_NAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.USER_NAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140733, "scanner": "repobility-supply-chain", "fingerprint": "8a4ff1f7e068eec5c78c4d21c214fbde3135e4def6fc2624445b2ebc23a95786", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|8a4ff1f7e068eec5c78c4d21c214fbde3135e4def6fc2624445b2ebc23a95786"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DEPLOY_AUTH` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DEPLOY_AUTH }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140732, "scanner": "repobility-supply-chain", "fingerprint": "e173d8ccc542dfb05a67347b4a51bfe79fa213ea0e27e47f79d3e64772d15413", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e173d8ccc542dfb05a67347b4a51bfe79fa213ea0e27e47f79d3e64772d15413"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.AUTH` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.AUTH }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 140731, "scanner": "repobility-supply-chain", "fingerprint": "ca787866d1f4f8d2e0dafee3c2a2583a697683e2cbbb4e7a02e934f98002df87", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca787866d1f4f8d2e0dafee3c2a2583a697683e2cbbb4e7a02e934f98002df87"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/EliteBuilds.yml"}, "region": {"startLine": 14}}}]}]}]}