{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "WEB012", "name": "Service worker is present without a web app manifest", "shortDescription": {"text": "Service worker is present without a web app manifest"}, "fullDescription": {"text": "Add a valid manifest.json or site.webmanifest and reference it from the document head. Include name, icons, start_url, display, and theme colors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB003", "name": "Public web service has no security.txt", "shortDescription": {"text": "Public web service has no security.txt"}, "fullDescription": {"text": "Add /.well-known/security.txt with Contact, Expires, Canonical, Preferred-Languages, and Policy fields. Keep the contact endpoint monitored."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.78, "cwe": "", "owasp": ""}}, {"id": "WEB015", "name": "Public web app has no Content Security Policy", "shortDescription": {"text": "Public web app has no Content Security Policy"}, "fullDescription": {"text": "Add a Content-Security-Policy header through the web framework or hosting config. For static apps, add a CSP meta tag that restricts default-src, script-src, connect-src, img-src, and frame-ancestors."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "medium", "confidence": 0.7, "cwe": "", "owasp": ""}}, {"id": "AUC001", "name": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobilit", "shortDescription": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "fullDescription": {"text": "Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them."}, "properties": {"scanner": "repobility-access-control", "category": "auth", "severity": "medium", "confidence": 0.92, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC136", "name": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns ", "shortDescription": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, retur"}, "fullDescription": {"text": "Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC031", "name": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternati", "shortDescription": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process"}, "fullDescription": {"text": "Three options, pick one:\n  1. Rewrite the pattern to avoid nested quantifiers. E.g. `(a+)+` is      functionally equivalent to `a+` for matching purposes.\n  2. Use Google's re2 (`pip install google-re2`): linear-time, drop-in      replacement for `re` for most use cases.\n  3. Set a hard timeout: `signal.alarm(1)` before regex eval.\nTest patterns against `safe-regex` or `redos-detector` before shipping."}, "properties": {"scanner": "repobility-threat-engine", "category": "redos", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "ERR002", "name": "[ERR002] Empty Catch Block: Empty catch blocks hide errors.", "shortDescription": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "fullDescription": {"text": "Log the error or rethrow it. Use console.error() at minimum."}, "properties": {"scanner": "repobility-threat-engine", "category": "error_handling", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC041", "name": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noref", "shortDescription": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and"}, "fullDescription": {"text": "Add rel=\"noopener noreferrer\" to every <a target=\"_blank\">:\n  <a href=\"...\" target=\"_blank\" rel=\"noopener noreferrer\">link</a>\nFor dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden \u2014 costs nothing."}, "properties": {"scanner": "repobility-threat-engine", "category": "security", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC087", "name": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces", "shortDescription": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "fullDescription": {"text": "Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC015", "name": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.", "shortDescription": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "fullDescription": {"text": "Use secrets module (Python) or crypto.getRandomValues() (JS) for security-sensitive randomness."}, "properties": {"scanner": "repobility-threat-engine", "category": "crypto", "severity": "medium", "confidence": 0.45, "cwe": "", "owasp": ""}}, {"id": "SEC045", "name": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a latera", "shortDescription": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use obj"}, "fullDescription": {"text": "For literal data structures: use ast.literal_eval(text) \u2014 only parses literals, raises on code.\nFor formula evaluation: use asteval or simpleeval (purpose-built sandboxes with allow-lists).\nFor Odoo: use odoo.tools.safe_eval(expr, locals_dict, mode='exec').\nIf you genuinely need to execute admin-stored code: require explicit super-admin permission AND log every execution with a stack trace."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "WEB011", "name": "Public web app has no humans.txt", "shortDescription": {"text": "Public web app has no humans.txt"}, "fullDescription": {"text": "Add humans.txt with team ownership, contact URL, key documentation links, and the last-updated date."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.5, "cwe": "", "owasp": ""}}, {"id": "WEB008", "name": "Public docs site has no llms.txt", "shortDescription": {"text": "Public docs site has no llms.txt"}, "fullDescription": {"text": "Add llms.txt with the product summary, canonical docs, API endpoints, security guidance, and preferred CLI workflow for AI agents."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.64, "cwe": "", "owasp": ""}}, {"id": "WEB002", "name": "Public web app has no sitemap", "shortDescription": {"text": "Public web app has no sitemap"}, "fullDescription": {"text": "Add sitemap.xml, a sitemap index, or a framework-native sitemap route and reference it from robots.txt."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "WEB001", "name": "Public web app has no robots.txt", "shortDescription": {"text": "Public web app has no robots.txt"}, "fullDescription": {"text": "Add robots.txt at the web root or a framework-native robots route. Include an explicit Sitemap directive and disallow only private paths."}, "properties": {"scanner": "repobility-web-presence", "category": "quality", "severity": "low", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "AIC002", "name": "Source file name looks like an AI patch artifact", "shortDescription": {"text": "Source file name looks like an AI patch artifact"}, "fullDescription": {"text": "Rename it to the domain concept it implements or merge it into the existing module it was meant to change."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "AIC009", "name": "Multiple AI-agent scaffold marker files are present", "shortDescription": {"text": "Multiple AI-agent scaffold marker files are present"}, "fullDescription": {"text": "Keep one current agent instruction file if it helps contributors, remove stale progress/completion markers, and make sure the README, tests, and CI describe the real supported behavior."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "SEC006", "name": "[SEC006] XSS Risk: Direct HTML injection without sanitization.", "shortDescription": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "fullDescription": {"text": "Use textContent instead of innerHTML. Sanitize with DOMPurify."}, "properties": {"scanner": "repobility-threat-engine", "category": "injection", "severity": "low", "confidence": 0.4, "cwe": "", "owasp": ""}}, {"id": "MINED049", "name": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.", "shortDescription": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 / A09:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "cwe": "", "owasp": ""}}, {"id": "SEC084", "name": "[SEC084] JS: require() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC084] JS: require() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use static imports or a static mapping `const modules = { foo: require('./foo') }`."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 6 more): Same pattern found in 6 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED098", "name": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios ", "shortDescription": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "fullDescription": {"text": "Import the library where you need it instead of attaching to window. For legitimate global registries, use a namespaced object (e.g., `window.__myApp.axios`)."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC083", "name": "[SEC083] JS: new RegExp() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.", "shortDescription": {"text": "[SEC083] JS: new RegExp() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "fullDescription": {"text": "Use a literal RegExp or whitelist-validate user input before constructing patterns."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC040", "name": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 22 more): Same pattern found in 22 additional f", "shortDescription": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "fullDescription": {"text": "For plain text: use el.textContent = data.value (auto-escapes).\nFor HTML you need to render: el.innerHTML = DOMPurify.sanitize(html).\nFor React/Vue/Svelte: stop using innerHTML; use the framework's binding.\nWhen data comes from CV/PDF parsers, sanitize at the parser boundary too."}, "properties": {"scanner": "repobility-threat-engine", "category": "xss", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC128", "name": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 15 more): Same pattern found in 15 add", "shortDescription": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "fullDescription": {"text": "Add `await` before each async call, or chain with `.then`. If you intentionally want fire-and-forget, prefix with `void` (TS) or assign to `_` (Python with `asyncio.create_task`) to make the intent explicit and survive lint."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED056", "name": "[MINED056] React Key As Index (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED056] React Key As Index (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-682 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 addi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED058", "name": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed.", "shortDescription": {"text": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-79 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED054", "name": "[MINED054] Ts As Any (and 98 more): Same pattern found in 98 additional files. Review if needed.", "shortDescription": {"text": "[MINED054] Ts As Any (and 98 more): Same pattern found in 98 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED052", "name": "[MINED052] Ts Any Typed (and 224 more): Same pattern found in 224 additional files. Review if needed.", "shortDescription": {"text": "[MINED052] Ts Any Typed (and 224 more): Same pattern found in 224 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-704 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED045", "name": "[MINED045] Ts Non Null Assertion (and 74 more): Same pattern found in 74 additional files. Review if needed.", "shortDescription": {"text": "[MINED045] Ts Non Null Assertion (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-476 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod (and 40 more): Same pattern found in 40 additional files. Review if needed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC085", "name": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if neede", "shortDescription": {"text": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "fullDescription": {"text": "Use execFile / spawn with separate args array; never pass shell strings."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run t", "shortDescription": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) in"}, "fullDescription": {"text": "Replace with: `uses: actions/checkout@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).", "shortDescription": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC100", "name": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make ", "shortDescription": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "fullDescription": {"text": "Allowlist specific origins. For dynamic per-request validation, validate against a known list and echo the origin back. Never combine wildcard origin with credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "high", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED116", "name": "[MINED116] Workflow uses `secrets.GH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which", "shortDescription": {"text": "[MINED116] Workflow uses `secrets.GH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a"}, "fullDescription": {"text": "Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "SEC009", "name": "[SEC009] .env File Committed: .env file with secrets committed to repository.", "shortDescription": {"text": "[SEC009] .env File Committed: .env file with secrets committed to repository."}, "fullDescription": {"text": "Add .env to .gitignore. Rotate all exposed credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED035", "name": "[MINED035] Js New Function: new Function(...) compiles strings to functions.", "shortDescription": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-95 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED019", "name": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates.", "shortDescription": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_ENV_FILE", "name": ".env file committed to repository", "shortDescription": {"text": ".env file committed to repository"}, "fullDescription": {"text": "Remove .env from version control: git rm --cached .env. Add '.env' to .gitignore. Rotate all exposed credentials."}, "properties": {"scanner": "repobility-core", "category": "security", "severity": "critical", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/783"}, "properties": {"repository": "storybookjs/storybook", "repoUrl": "https://github.com/storybookjs/storybook", "branch": "main"}, "results": [{"ruleId": "WEB012", "level": "warning", "message": {"text": "Service worker is present without a web app manifest"}, "properties": {"repobilityId": 66115, "scanner": "repobility-web-presence", "fingerprint": "fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea", "category": "quality", "severity": "medium", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A service worker was discovered but no common web manifest file was found.", "evidence": {"rule_id": "WEB012", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/Manifest"], "correlation_key": "fp|fcb0b1c9ad72f83092dc6928d3e76ca25d428a654bdcd26192cf227ad67fe1ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "manifest.json"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB003", "level": "warning", "message": {"text": "Public web service has no security.txt"}, "properties": {"repobilityId": 66114, "scanner": "repobility-web-presence", "fingerprint": "5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd", "category": "quality", "severity": "medium", "confidence": 0.78, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app/API but no security.txt file or route was discovered.", "evidence": {"rule_id": "WEB003", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9116", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|5cd26606c5a53c9f403ff7a92a6917c19cf440a23ce03e2b90e8c493312ef8cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".well-known/security.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB015", "level": "warning", "message": {"text": "Public web app has no Content Security Policy"}, "properties": {"repobilityId": 66113, "scanner": "repobility-web-presence", "fingerprint": "7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63", "category": "quality", "severity": "medium", "confidence": 0.7, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no CSP header, framework header config, Helmet policy, or CSP meta tag was discovered.", "evidence": {"rule_id": "WEB015", "scanner": "repobility-web-presence", "references": ["https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|7eb70cae3ff63d8ed7c31706185d32b37655333b40b58ca826d740b08fb1ad63"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "index.html"}, "region": {"startLine": 1}}}]}, {"ruleId": "AUC001", "level": "warning", "message": {"text": "[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation."}, "properties": {"repobilityId": 66108, "scanner": "repobility-access-control", "fingerprint": "f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10", "category": "auth", "severity": "medium", "confidence": 0.92, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Static route and framework evidence require project-owner confirmation.", "evidence": {"scanner": "repobility-access-control", "frameworks": ["Next.js"], "expected_files": [".repobility/access.yml", ".repobility/access.yaml", ".repobility/access.json", ".repobility/authorization.yml"], "correlation_key": "fp|f1305052c3ba1e6c1cdb5dccc19e58a8168cf78b176658f32b1fc823df3e9d10"}}}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 66063, "scanner": "repobility-threat-engine", "fingerprint": "777cda22be26e183d98440613df749edbf552acddd55c7a86f4b71d20fbd8020", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "url: 'https://example.com", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|777cda22be26e183d98440613df749edbf552acddd55c7a86f4b71d20fbd8020"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/manager/components/sidebar/Explorer.stories.tsx"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 66062, "scanner": "repobility-threat-engine", "fingerprint": "bb92ecff893f1def25fcf7bfcab8c3eb38a9868114689203c4d51d25cca0d2d3", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bb92ecff893f1def25fcf7bfcab8c3eb38a9868114689203c4d51d25cca0d2d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Popover/PopoverProvider.stories.tsx"}, "region": {"startLine": 157}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 66061, "scanner": "repobility-threat-engine", "fingerprint": "2493b8c3e43da58cdf43a6246a0caec18e98754dc07768905ede0f9845daccbc", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Lorem ipsum dolor sit amet", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2493b8c3e43da58cdf43a6246a0caec18e98754dc07768905ede0f9845daccbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Popover/Popover.stories.tsx"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 66054, "scanner": "repobility-threat-engine", "fingerprint": "58415cb185321342b27cd6408c3fef86b1f1371cbe5bb435fe928cb0cf1cd475", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (err) {\n    return null;\n  }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|58415cb185321342b27cd6408c3fef86b1f1371cbe5bb435fe928cb0cf1cd475"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/common/utils/get-addon-annotations.ts"}, "region": {"startLine": 44}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 66053, "scanner": "repobility-threat-engine", "fingerprint": "2eb859f394fe978e6288bc512c5b111c4c9b8344801cbbcbd82e9be19ad636c8", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (er) {\n          return [];\n        }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2eb859f394fe978e6288bc512c5b111c4c9b8344801cbbcbd82e9be19ad636c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/channels/postmessage/index.ts"}, "region": {"startLine": 151}}}]}, {"ruleId": "SEC136", "level": "warning", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws \u2014 wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated."}, "properties": {"repobilityId": 66052, "scanner": "repobility-threat-engine", "fingerprint": "38b34c80807ecc590c64f8c86994866c3fbcf57b5b6f10879c280796d50b1750", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "} catch (e) {\n        return null;\n      }", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|38b34c80807ecc590c64f8c86994866c3fbcf57b5b6f10879c280796d50b1750"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/vitest/src/vitest-plugin/utils.ts"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC031", "level": "warning", "message": {"text": "[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit exponential backtracking, freezing the process. CWE-1333. Real CVEs: CVE-2017-16129 (minimatch), CVE-2021-3807 (ansi-regex), and dozens more."}, "properties": {"repobilityId": 66047, "scanner": "repobility-threat-engine", "fingerprint": "897f6d1d2a4d158155d54e9a42bac70418e6f4bad448636526c6ae3be00bc66c", "category": "redos", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pseudoStatesPattern);\nconst matchAll = new RegExp(pseudoStatesPattern, 'g');\n\nconst warni", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC031", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|897f6d1d2a4d158155d54e9a42bac70418e6f4bad448636526c6ae3be00bc66c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/preview/rewriteStyleSheet.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 66045, "scanner": "repobility-threat-engine", "fingerprint": "95e3c0f49fc1c01d18e714b86615036b640406e3ddae2c6cca0010ec70b7ea78", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|95e3c0f49fc1c01d18e714b86615036b640406e3ddae2c6cca0010ec70b7ea78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/core-server/utils/checklist.ts"}, "region": {"startLine": 91}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 66044, "scanner": "repobility-threat-engine", "fingerprint": "8a8b782e79d39cff64831002a05ad4a3b2409f24f0ff00c8895d7282522a1572", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|8a8b782e79d39cff64831002a05ad4a3b2409f24f0ff00c8895d7282522a1572"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/core-server/build-static.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "ERR002", "level": "warning", "message": {"text": "[ERR002] Empty Catch Block: Empty catch blocks hide errors."}, "properties": {"repobilityId": 66043, "scanner": "repobility-threat-engine", "fingerprint": "a3d9020637285d4a51c027270f4d9196c1b2446fe453fe7870b22b079617d370", "category": "error_handling", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".catch(() => {})", "reason": "Pattern matched with no mitigating context found", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a3d9020637285d4a51c027270f4d9196c1b2446fe453fe7870b22b079617d370"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/controls/components/SaveStory.tsx"}, "region": {"startLine": 103}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 66025, "scanner": "repobility-threat-engine", "fingerprint": "162e954346157cf5951317e9df2d10ddc345ae37039f030310421626d44d6ff3", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(originHrefs.previewHref, '_blank', 'noopener,noreferrer')", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|101|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/manager/components/preview/tools/share.tsx"}, "region": {"startLine": 101}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 66024, "scanner": "repobility-threat-engine", "fingerprint": "ab3f3ffd78f3c227043b2bb917d5797dc7c11fef2b509cd1f98134d5157a052d", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\n                'https://github.com/storybookjs/storybook/blob/next/code/lib/blocks/src", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|24|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/examples/CanvasParameters.stories.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "SEC041", "level": "warning", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\": <a target=\"_blank\"> without rel=\"noopener noreferrer\" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility."}, "properties": {"repobilityId": 66023, "scanner": "repobility-threat-engine", "fingerprint": "17c38f05054f5c7d4b68244095f34bec1b07cfd6265b1c535a7c0021cbf585e0", "category": "security", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "window.open(\n            'https://github.com/storybookjs/storybook/blob/next/code/lib/blocks/src/exa", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|security|token|86|sec041"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/blocks/Canvas.stories.tsx"}, "region": {"startLine": 86}}}]}, {"ruleId": "SEC087", "level": "warning", "message": {"text": "[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0)."}, "properties": {"repobilityId": 66022, "scanner": "repobility-threat-engine", "fingerprint": "bff02a7d7ba43adf261718ae55e7f45789118d11211341515157323d3bb35a27", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "key={Math.random(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC087", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|bff02a7d7ba43adf261718ae55e7f45789118d11211341515157323d3bb35a27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/DocsRenderer.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC015", "level": "warning", "message": {"text": "[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable."}, "properties": {"repobilityId": 66021, "scanner": "repobility-threat-engine", "fingerprint": "faf7e00cf80ff2c9cd7c2ee06a8bd02d9a3e38eb929123815d9e3f3d9302280f", "category": "crypto", "severity": "medium", "confidence": 0.45, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here | [R34 auto-suppress: documentation/example path]", "evidence": {"match": "key={Math.random", "reason": "Security-sensitive keyword found nearby \u2014 weak PRNG is risky here | [R34 auto-suppress: documentation/example path]", "rule_id": "SEC015", "scanner": "repobility-threat-engine", "confidence": 0.45, "correlation_key": "code|crypto|token|71|sec015"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/DocsRenderer.tsx"}, "region": {"startLine": 71}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65991, "scanner": "repobility-threat-engine", "fingerprint": "0d0406f631515c7bbf3b0ea46e5449d5730dbca1a178c863616ef5942fc1bad0", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|code/core/build-config.ts|9|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/build-config.ts"}, "region": {"startLine": 9}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65990, "scanner": "repobility-threat-engine", "fingerprint": "56f99d9158dac1c99403573ce9db84ab192a8e08082357dce9331cd3056205a8", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|token|34|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/.storybook/bench/bench.stories.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC045", "level": "warning", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data \u2014 even admin-stored data \u2014 is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ cleared) are escapable: attackers use object introspection (().__class__.__mro__[-1].__subclasses__()) to reach os.system. CWE-95 (eval injection)."}, "properties": {"repobilityId": 65989, "scanner": "repobility-threat-engine", "fingerprint": "e47067d91dd30d6f15f0b1215f399566fce0625c1eba93e33f6653a7d66db384", "category": "injection", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".exec(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "code|injection|. token|49|sec045"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/minor-release/get-minor-changelog-summary.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "WEB011", "level": "note", "message": {"text": "Public web app has no humans.txt"}, "properties": {"repobilityId": 66112, "scanner": "repobility-web-presence", "fingerprint": "bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1", "category": "quality", "severity": "low", "confidence": 0.5, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks like a public web app but no humans.txt file or route was discovered.", "evidence": {"rule_id": "WEB011", "scanner": "repobility-web-presence", "references": ["https://github.com/Lissy93/web-check"], "correlation_key": "fp|bdd551fbe1ab6405480e0d5755632562c2096cb9e9a6a071ef60e4c27a6873f1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "humans.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB008", "level": "note", "message": {"text": "Public docs site has no llms.txt"}, "properties": {"repobilityId": 66111, "scanner": "repobility-web-presence", "fingerprint": "cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76", "category": "quality", "severity": "low", "confidence": 0.64, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Repository looks public and documentation-heavy but no llms.txt file or route was discovered.", "evidence": {"rule_id": "WEB008", "scanner": "repobility-web-presence", "references": ["https://llmstxt.org/"], "correlation_key": "fp|cdce8ed8706710d39c3e7272dad572dd639cff74fd3d2ac62d8f6f522b891d76"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "llms.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB002", "level": "note", "message": {"text": "Public web app has no sitemap"}, "properties": {"repobilityId": 66110, "scanner": "repobility-web-presence", "fingerprint": "fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf", "category": "quality", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no sitemap file or route was discovered.", "evidence": {"rule_id": "WEB002", "scanner": "repobility-web-presence", "references": ["https://www.sitemaps.org/protocol.html", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|fccbe72d13ca3ba9197ec37b0daa0802fb6d5ebff54b3eb9f09b59b0f8d0acdf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "sitemap.xml"}, "region": {"startLine": 1}}}]}, {"ruleId": "WEB001", "level": "note", "message": {"text": "Public web app has no robots.txt"}, "properties": {"repobilityId": 66109, "scanner": "repobility-web-presence", "fingerprint": "cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4", "category": "quality", "severity": "low", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository looks like a public web app but no robots.txt file or route was discovered.", "evidence": {"rule_id": "WEB001", "scanner": "repobility-web-presence", "references": ["https://www.rfc-editor.org/rfc/rfc9309", "https://github.com/Lissy93/web-check"], "correlation_key": "fp|cae3f2223945958e14d8eb90f7965fa26b47011cc5be29c2855a4054937e29c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "robots.txt"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66107, "scanner": "repobility-ai-code-hygiene", "fingerprint": "96d02805856d4b5fa279b25883651592e8e80468b104a76b87d3f59e347a504f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/components/components/Popover/Popover.stories.tsx", "duplicate_line": 41, "correlation_key": "fp|96d02805856d4b5fa279b25883651592e8e80468b104a76b87d3f59e347a504f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/tooltip/Tooltip.stories.tsx"}, "region": {"startLine": 30}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66106, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11d1f38a62e4e70be42dbd98cb7b1799c321e57f72dcd607b6f033f354518e3a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/components/components/Toolbar/AbstractToolbar.stories.tsx", "duplicate_line": 4, "correlation_key": "fp|11d1f38a62e4e70be42dbd98cb7b1799c321e57f72dcd607b6f033f354518e3a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Toolbar/Toolbar.stories.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66105, "scanner": "repobility-ai-code-hygiene", "fingerprint": "11d74f4fb831e7e2e56a9735833870259c6321dd46a96861e06e4d92eaee6169", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/components/components/Tabs/StatelessTabsView.tsx", "duplicate_line": 49, "correlation_key": "fp|11d74f4fb831e7e2e56a9735833870259c6321dd46a96861e06e4d92eaee6169"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Tabs/TabsView.tsx"}, "region": {"startLine": 94}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66104, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9630a888c782675aee9b3011646271cb9859564f46f03380323696dba350c44c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/components/components/Tabs/StatelessTabsView.stories.tsx", "duplicate_line": 97, "correlation_key": "fp|9630a888c782675aee9b3011646271cb9859564f46f03380323696dba350c44c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Tabs/TabsView.stories.tsx"}, "region": {"startLine": 73}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66103, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d79e33548444456e6274cb2e387cee3316813a2040e7e2db8147cfcf03a94fda", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/components/components/Tabs/StatelessTabList.tsx", "duplicate_line": 8, "correlation_key": "fp|d79e33548444456e6274cb2e387cee3316813a2040e7e2db8147cfcf03a94fda"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Tabs/TabList.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66102, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a0c7301a91fe2d60d9b2168611fccf9c240b04446103d99dc35fee3b0c6cb0c3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/components/components/Tabs/Button.tsx", "duplicate_line": 87, "correlation_key": "fp|a0c7301a91fe2d60d9b2168611fccf9c240b04446103d99dc35fee3b0c6cb0c3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Tabs/TabList.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66101, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f229233bcefb0921980794f69fe07a26dc733f020640f321b6eaf695f7d25e80", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/components/components/Tabs/StatelessTab.tsx", "duplicate_line": 10, "correlation_key": "fp|f229233bcefb0921980794f69fe07a26dc733f020640f321b6eaf695f7d25e80"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Tabs/TabList.tsx"}, "region": {"startLine": 16}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66100, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3bfce9e1077bfca334b6f86c408fa001257e0005820cf8add8bbfa9face59a65", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/a11y/src/components/TestDiscrepancyMessage.tsx", "duplicate_line": 10, "correlation_key": "fp|3bfce9e1077bfca334b6f86c408fa001257e0005820cf8add8bbfa9face59a65"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/component-testing/components/TestDiscrepancyMessage.tsx"}, "region": {"startLine": 11}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66099, "scanner": "repobility-ai-code-hygiene", "fingerprint": "57631fb94c2a24abaae3eb058d45aa87ded3d99f8e7c9e97846671b4bd0c5da3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/common/js-package-manager/BUNProxy.ts", "duplicate_line": 198, "correlation_key": "fp|57631fb94c2a24abaae3eb058d45aa87ded3d99f8e7c9e97846671b4bd0c5da3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/common/js-package-manager/Yarn2Proxy.ts"}, "region": {"startLine": 237}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66098, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b39c43df873af16fda52d861622c622179e993072a5606628e513be5fcede7be", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/common/js-package-manager/PNPMProxy.ts", "duplicate_line": 159, "correlation_key": "fp|b39c43df873af16fda52d861622c622179e993072a5606628e513be5fcede7be"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/common/js-package-manager/Yarn2Proxy.ts"}, "region": {"startLine": 192}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66097, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f4cd3796d52c5626813f8625a2ff52427a5ff2062213a8d6aae692788c3a16e4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/common/js-package-manager/Yarn1Proxy.ts", "duplicate_line": 35, "correlation_key": "fp|f4cd3796d52c5626813f8625a2ff52427a5ff2062213a8d6aae692788c3a16e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/common/js-package-manager/Yarn2Proxy.ts"}, "region": {"startLine": 96}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66096, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0a1751a5ab5796636484726ae7a3aeb464bc7b152408eade265bef6b75232a13", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/common/js-package-manager/BUNProxy.ts", "duplicate_line": 198, "correlation_key": "fp|0a1751a5ab5796636484726ae7a3aeb464bc7b152408eade265bef6b75232a13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/common/js-package-manager/PNPMProxy.ts"}, "region": {"startLine": 203}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66095, "scanner": "repobility-ai-code-hygiene", "fingerprint": "534831ea6e789ae57087991421ce69ee38dd113f489909430a3154918db4e059", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/core/src/common/js-package-manager/BUNProxy.ts", "duplicate_line": 27, "correlation_key": "fp|534831ea6e789ae57087991421ce69ee38dd113f489909430a3154918db4e059"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/common/js-package-manager/NPMProxy.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66094, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f82bd8c8df8002476c8cbe404131a41f1f45837ce1f5225cf6aa96e6e7a91d4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/themes/build-config.ts", "duplicate_line": 3, "correlation_key": "fp|4f82bd8c8df8002476c8cbe404131a41f1f45837ce1f5225cf6aa96e6e7a91d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/vitest/build-config.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66093, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5b3c876d74c1bb8b1fb9f32a21db83888c9a079820fbd92534ac51eae71a416b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/onboarding/build-config.ts", "duplicate_line": 1, "correlation_key": "fp|5b3c876d74c1bb8b1fb9f32a21db83888c9a079820fbd92534ac51eae71a416b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/vitest/build-config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66092, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1f2c7f14c0e0ba9827faa96c207bcfdf6a0613b6cce30f8cf014c5ceeae262cb", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/onboarding/build-config.ts", "duplicate_line": 1, "correlation_key": "fp|1f2c7f14c0e0ba9827faa96c207bcfdf6a0613b6cce30f8cf014c5ceeae262cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/themes/build-config.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66091, "scanner": "repobility-ai-code-hygiene", "fingerprint": "8a9a9de4e610219f137ff7d2e5912db12ee0f40a9a714f8c32681d4b15d3bac3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/pseudo-states/src/stories/ShadowRoot.stories.tsx", "duplicate_line": 8, "correlation_key": "fp|8a9a9de4e610219f137ff7d2e5912db12ee0f40a9a714f8c32681d4b15d3bac3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/ShadowRootWithPart.stories.tsx"}, "region": {"startLine": 8}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66090, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bdb86e2c039103399557f989500a6e83e15d25a07ad266875e9b5939e8dbdc68", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/pseudo-states/src/stories/CustomElement.tsx", "duplicate_line": 3, "correlation_key": "fp|bdb86e2c039103399557f989500a6e83e15d25a07ad266875e9b5939e8dbdc68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/ShadowRoot.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66089, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ddd19912bde4c867f90549dee9f3820cd85be7962d9ec2debd351b68e698abf8", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/pseudo-states/src/stories/Button.stories.tsx", "duplicate_line": 38, "correlation_key": "fp|ddd19912bde4c867f90549dee9f3820cd85be7962d9ec2debd351b68e698abf8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/CustomElementNested.stories.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66088, "scanner": "repobility-ai-code-hygiene", "fingerprint": "93ee91a3e7105073f78ffa10b98ab4651dadf263957c0433638808fd9c243e45", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/pseudo-states/src/stories/CSSAtRules.stories.tsx", "duplicate_line": 18, "correlation_key": "fp|93ee91a3e7105073f78ffa10b98ab4651dadf263957c0433638808fd9c243e45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/CustomElementNested.stories.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66087, "scanner": "repobility-ai-code-hygiene", "fingerprint": "9d817469e9df185bf9a14cfb584d68cca49258eff8a1b980336d2256c5924ca3", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/pseudo-states/src/stories/CustomElement.stories.tsx", "duplicate_line": 20, "correlation_key": "fp|9d817469e9df185bf9a14cfb584d68cca49258eff8a1b980336d2256c5924ca3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/CustomElementNested.stories.tsx"}, "region": {"startLine": 20}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66086, "scanner": "repobility-ai-code-hygiene", "fingerprint": "a65959476a6b4418865706a524a1e7dcd04a523b686a3816bbcf41287ec13cc7", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/pseudo-states/src/stories/Button.stories.tsx", "duplicate_line": 38, "correlation_key": "fp|a65959476a6b4418865706a524a1e7dcd04a523b686a3816bbcf41287ec13cc7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/CustomElement.stories.tsx"}, "region": {"startLine": 28}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66085, "scanner": "repobility-ai-code-hygiene", "fingerprint": "6561d1f1bdc7bb25503bf96d091151c8b12b050dabe8136d15dc35323c4acf00", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/pseudo-states/src/stories/CSSAtRules.stories.tsx", "duplicate_line": 18, "correlation_key": "fp|6561d1f1bdc7bb25503bf96d091151c8b12b050dabe8136d15dc35323c4acf00"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/CustomElement.stories.tsx"}, "region": {"startLine": 22}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66084, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b4f7ef9dadcb021be09377adb6526dcc3e3f727a699ecf0045ff17e03497047f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/pseudo-states/src/stories/Button.stories.tsx", "duplicate_line": 9, "correlation_key": "fp|b4f7ef9dadcb021be09377adb6526dcc3e3f727a699ecf0045ff17e03497047f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/CSSAtRules.stories.tsx"}, "region": {"startLine": 10}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 66083, "scanner": "repobility-ai-code-hygiene", "fingerprint": "c91e7bf35cf60ff66e4b58be1873cf527853d886c7b21b702a8c7270865c52e9", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "code/addons/a11y/src/components/A11YPanel.stories.tsx", "duplicate_line": 23, "correlation_key": "fp|c91e7bf35cf60ff66e4b58be1873cf527853d886c7b21b702a8c7270865c52e9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/a11y/src/components/Report/Report.stories.tsx"}, "region": {"startLine": 9}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 66082, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ccb761d75f9cca3cf2e3b23de93cbb5897744c2632175c8b8a7a7daa578a035f", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "new", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|ccb761d75f9cca3cf2e3b23de93cbb5897744c2632175c8b8a7a7daa578a035f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/manager/settings/whats_new.tsx"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 66081, "scanner": "repobility-ai-code-hygiene", "fingerprint": "bacfba10f638709a64514edafb407846ad34d1688fb36ce23bacdd1076c142b1", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "new", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|bacfba10f638709a64514edafb407846ad34d1688fb36ce23bacdd1076c142b1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/core-server/utils/whats-new.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC002", "level": "note", "message": {"text": "Source file name looks like an AI patch artifact"}, "properties": {"repobilityId": 66080, "scanner": "repobility-ai-code-hygiene", "fingerprint": "f320454403cb0aa5ca947be343b3281bae88cd69b42c8a11002dc95055829e58", "category": "quality", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Source filename contains a temporary or patch-style suffix.", "evidence": {"suffix": "new", "rule_id": "AIC002", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|f320454403cb0aa5ca947be343b3281bae88cd69b42c8a11002dc95055829e58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/core-events/data/whats-new.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC009", "level": "note", "message": {"text": "Multiple AI-agent scaffold marker files are present"}, "properties": {"repobilityId": 66079, "scanner": "repobility-ai-code-hygiene", "fingerprint": "637be4b7d792540c9eb7ec6ecee111643252bb60385776703cb965bcde5506e0", "category": "quality", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Repository root contains several AI-agent scaffold marker files.", "evidence": {"markers": [".cursorrules", "AGENTS.md", "CLAUDE.md"], "rule_id": "AIC009", "scanner": "repobility-ai-code-hygiene", "references": ["https://arxiv.org/abs/2601.15195"], "correlation_key": "fp|637be4b7d792540c9eb7ec6ecee111643252bb60385776703cb965bcde5506e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".cursorrules"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 66019, "scanner": "repobility-threat-engine", "fingerprint": "84ddfd70d205cc583418ced258153c574b37799bc227c84d5afcfb9d5b343e33", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|14|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/ShadowRootWithPart.tsx"}, "region": {"startLine": 14}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 66018, "scanner": "repobility-threat-engine", "fingerprint": "4907ecce1c7f3e28d4817777d57df4b0ed63058c46ffa7bde98d186ae29cee88", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|12|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/ShadowRoot.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC006", "level": "note", "message": {"text": "[SEC006] XSS Risk: Direct HTML injection without sanitization."}, "properties": {"repobilityId": 66017, "scanner": "repobility-threat-engine", "fingerprint": "a0c173475f941e9ae9d93c3175196912d09843eb68ec2f99d7f7bd7a40ab99c4", "category": "injection", "severity": "low", "confidence": 0.4, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "evidence": {"match": ".innerHTML = `", "reason": "No user-input source (request/query/fetch/URL) found \u2014 may be static content", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.4, "correlation_key": "code|injection|token|144|sec006"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/a11y/template/stories/parameters.stories.ts"}, "region": {"startLine": 144}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 66074, "scanner": "repobility-threat-engine", "fingerprint": "79359f7b8e5c95059061631633b72da2c732d2fd7d3dc94755defe968d894e28", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|79359f7b8e5c95059061631633b72da2c732d2fd7d3dc94755defe968d894e28"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/angular/template/stories/argTypes/doc-button/doc-button.component.ts"}, "region": {"startLine": 222}}}]}, {"ruleId": "MINED049", "level": "none", "message": {"text": "[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout."}, "properties": {"repobilityId": 66073, "scanner": "repobility-threat-engine", "fingerprint": "37ecbc4f36524a11db50580cbe7633d8c76d5e5abc77cf8b1fce425d2f46e3c1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "print-pii", "owasp": "A09:2021", "cwe_ids": ["CWE-532"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348015+00:00", "triaged_in_corpus": 12, "observations_count": 676566, "ai_coder_pattern_id": 26}, "scanner": "repobility-threat-engine", "correlation_key": "fp|37ecbc4f36524a11db50580cbe7633d8c76d5e5abc77cf8b1fce425d2f46e3c1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/angular/src/client/docs/__testfixtures__/doc-button/input.ts"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 66072, "scanner": "repobility-threat-engine", "fingerprint": "c27e56c4debb7f6dc0ae82dca33c2bc5e158e400375ac333d4530a9e1a85cc0b", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(password)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|22|console.log password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/angular/template/stories/argTypes/doc-button/doc-button.component.ts"}, "region": {"startLine": 222}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 66071, "scanner": "repobility-threat-engine", "fingerprint": "6cb6f0ac7c1bc6e5d88a5615ae4d7c100ca66e1b624cb6c79149b2760cba21f6", "category": "credential_exposure", "severity": "info", "confidence": 0.15, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "evidence": {"match": "console.log(password)", "reason": "Log message mentions credential-related metadata but does not print a credential-bearing value", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.15, "correlation_key": "secret|token|18|console.log password"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/angular/src/client/docs/__testfixtures__/doc-button/input.ts"}, "region": {"startLine": 187}}}]}, {"ruleId": "SEC084", "level": "none", "message": {"text": "[SEC084] JS: require() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 66069, "scanner": "repobility-threat-engine", "fingerprint": "1ab24bd4307ac28d8fe949cb2ba0d619298592370da5c4874409946d0caac342", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|1ab24bd4307ac28d8fe949cb2ba0d619298592370da5c4874409946d0caac342"}}}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 66064, "scanner": "repobility-threat-engine", "fingerprint": "c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|c86a8223d36e18524aeee3169632549ad0e22449690a236f9850ddf0d78b00dc"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 66060, "scanner": "repobility-threat-engine", "fingerprint": "e7cd40d7b324241c80937e7a6f550054df46cdde533de8ce7a56977f55a98866", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e7cd40d7b324241c80937e7a6f550054df46cdde533de8ce7a56977f55a98866", "aggregated_count": 6}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 66059, "scanner": "repobility-threat-engine", "fingerprint": "d6e45a939e837f8cb3e2fef6766b2a7e0c7ef094a4e6b5ae0add88864e17b1d9", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d6e45a939e837f8cb3e2fef6766b2a7e0c7ef094a4e6b5ae0add88864e17b1d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/ProgressSpinner/ProgressSpinner.tsx"}, "region": {"startLine": 5}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 66058, "scanner": "repobility-threat-engine", "fingerprint": "810be826107356ed7164225409c15c0bd1194724a956f8133dc275922300e1d0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|810be826107356ed7164225409c15c0bd1194724a956f8133dc275922300e1d0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Form/Select.tsx"}, "region": {"startLine": 24}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 66057, "scanner": "repobility-threat-engine", "fingerprint": "4a1f449a1a8536117341dd616318a6537164609eaa015e200aeb4ffb278cb123", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|4a1f449a1a8536117341dd616318a6537164609eaa015e200aeb4ffb278cb123"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/components/components/Form/Checkbox.tsx"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED098", "level": "none", "message": {"text": "[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming collisions."}, "properties": {"repobilityId": 66056, "scanner": "repobility-threat-engine", "fingerprint": "2e59ebb423a9ee380721236cf08476fa0bf37807154ccb8a0e83d2760122a385", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "global-scope-pollution", "owasp": null, "cwe_ids": [], "languages": ["javascript"], "precision": 1.0, "promoted_at": "2026-05-18T15:01:13.611213+00:00", "triaged_in_corpus": 12, "observations_count": 173528, "ai_coder_pattern_id": 55}, "scanner": "repobility-threat-engine", "correlation_key": "fp|2e59ebb423a9ee380721236cf08476fa0bf37807154ccb8a0e83d2760122a385"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/builders/builder-webpack5/templates/virtualModuleModernEntry.js"}, "region": {"startLine": 26}}}]}, {"ruleId": "SEC136", "level": "none", "message": {"text": "[SEC136] AI-typical over-broad exception handler swallowing all errors (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 66055, "scanner": "repobility-threat-engine", "fingerprint": "240332b6eac19ed20917309b8c65c3d20dd439ba1c1be8bfda8383c6ac10578e", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC136", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|240332b6eac19ed20917309b8c65c3d20dd439ba1c1be8bfda8383c6ac10578e"}}}, {"ruleId": "SEC083", "level": "none", "message": {"text": "[SEC083] JS: new RegExp() with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 66051, "scanner": "repobility-threat-engine", "fingerprint": "814505ea9c56c1cdf3329a6624808f8471bdb2072be6a6109dd09cedc8ec8c7b", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|814505ea9c56c1cdf3329a6624808f8471bdb2072be6a6109dd09cedc8ec8c7b"}}}, {"ruleId": "ERR002", "level": "none", "message": {"text": "[ERR002] Empty Catch Block (and 5 more): Same pattern found in 5 additional files. Review if needed."}, "properties": {"repobilityId": 66046, "scanner": "repobility-threat-engine", "fingerprint": "bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498", "category": "error_handling", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 5 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "ERR002", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|bcc4f4ba9d6f1cc01238739180acf67e6d4fb5ebbdd6b73d3d1174f7cc93f498"}}}, {"ruleId": "SEC040", "level": "none", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data (and 22 more): Same pattern found in 22 additional files. Review if needed."}, "properties": {"repobilityId": 66042, "scanner": "repobility-threat-engine", "fingerprint": "faef1f153b909d55ba089c633cb12af33c44dd6d5b7539d52c2a7e7cc9f93782", "category": "xss", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 22 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|faef1f153b909d55ba089c633cb12af33c44dd6d5b7539d52c2a7e7cc9f93782"}}}, {"ruleId": "SEC128", "level": "none", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake) (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 66038, "scanner": "repobility-threat-engine", "fingerprint": "626b968a51905fab68488b914668d7d2e59a6d38ac62d921861aaee76f35958d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|626b968a51905fab68488b914668d7d2e59a6d38ac62d921861aaee76f35958d"}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 66034, "scanner": "repobility-threat-engine", "fingerprint": "d7f594181ef7d6a707278fd0bbfa9918494cb5e31e08de25eb7881e568738c27", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|d7f594181ef7d6a707278fd0bbfa9918494cb5e31e08de25eb7881e568738c27", "aggregated_count": 8}}}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 66033, "scanner": "repobility-threat-engine", "fingerprint": "8364a5f4c0ac9bfa274191d34228414a74a0908b72aa3c8ee27c34264529befb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|8364a5f4c0ac9bfa274191d34228414a74a0908b72aa3c8ee27c34264529befb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/component-testing/components/InteractionsPanel.tsx"}, "region": {"startLine": 212}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 66032, "scanner": "repobility-threat-engine", "fingerprint": "fb78b53216f5785b019ebdc9820056cd579772332cae7cddd20cf4a8ed633b47", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fb78b53216f5785b019ebdc9820056cd579772332cae7cddd20cf4a8ed633b47"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/components/Preview.tsx"}, "region": {"startLine": 218}}}]}, {"ruleId": "MINED056", "level": "none", "message": {"text": "[MINED056] React Key As Index: key={index} in map() \u2014 re-renders the wrong elements on re-order."}, "properties": {"repobilityId": 66031, "scanner": "repobility-threat-engine", "fingerprint": "68422ba275dafd9b020d8a064846dd259b750976175063befa642c8752e9ac84", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-key-as-index", "owasp": null, "cwe_ids": ["CWE-682"], "languages": ["typescript", "tsx", "javascript", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348032+00:00", "triaged_in_corpus": 12, "observations_count": 299917, "ai_coder_pattern_id": 135}, "scanner": "repobility-threat-engine", "correlation_key": "fp|68422ba275dafd9b020d8a064846dd259b750976175063befa642c8752e9ac84"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/blocks/Source.stories.tsx"}, "region": {"startLine": 118}}}]}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 19 more): Same pattern found in 19 additional files. Review if needed."}, "properties": {"repobilityId": 66030, "scanner": "repobility-threat-engine", "fingerprint": "4b9a4fefd8163e8e417a9cb6780f3315c1f451b1a7ce33528729dad342398819", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 19 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|4b9a4fefd8163e8e417a9cb6780f3315c1f451b1a7ce33528729dad342398819"}}}, {"ruleId": "SEC041", "level": "none", "message": {"text": "[SEC041] Tabnabbing \u2014 target=\"_blank\" without rel=\"noopener noreferrer\" (and 2 more): Same pattern found in 2 additional files. Review if needed."}, "properties": {"repobilityId": 66026, "scanner": "repobility-threat-engine", "fingerprint": "0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5", "category": "security", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 2 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC041", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|0eef884db84dc77198cfae04feff1d5e87337621ea6e75bc6e5e06b9220adcd5"}}}, {"ruleId": "SEC006", "level": "none", "message": {"text": "[SEC006] XSS Risk (and 15 more): Same pattern found in 15 additional files. Review if needed."}, "properties": {"repobilityId": 66020, "scanner": "repobility-threat-engine", "fingerprint": "a4e5727347d2f51d3ec54527bb80130dc4a9ab8ce3677d115af687b549585435", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 15 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC006", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|a4e5727347d2f51d3ec54527bb80130dc4a9ab8ce3677d115af687b549585435"}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html (and 4 more): Same pattern found in 4 additional files. Review if needed."}, "properties": {"repobilityId": 66016, "scanner": "repobility-threat-engine", "fingerprint": "b00d577a1057957f67ad2302cbc95a6a91a9ef4fe2a39ce058aadf87e6fd4ded", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 4 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|b00d577a1057957f67ad2302cbc95a6a91a9ef4fe2a39ce058aadf87e6fd4ded", "aggregated_count": 4}}}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 66015, "scanner": "repobility-threat-engine", "fingerprint": "5a0da7c65b576f45441d0d3ccc3e348051101a260e7ac7c0eca25eed5900e7cb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5a0da7c65b576f45441d0d3ccc3e348051101a260e7ac7c0eca25eed5900e7cb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/component-testing/components/InteractionsPanel.tsx"}, "region": {"startLine": 194}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 66014, "scanner": "repobility-threat-engine", "fingerprint": "09ae11a3557dd583efcd4bae28d883147c38d49a6e538924b3a0ebde065cf2f8", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|09ae11a3557dd583efcd4bae28d883147c38d49a6e538924b3a0ebde065cf2f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/component-testing/components/Interaction.tsx"}, "region": {"startLine": 225}}}]}, {"ruleId": "MINED058", "level": "none", "message": {"text": "[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data."}, "properties": {"repobilityId": 66013, "scanner": "repobility-threat-engine", "fingerprint": "d85268a35f1c08a2d8a71de73707fe6ef4bd15498d9fa3394e84a1e7d13194a0", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "react-dangerously-set-html", "owasp": "A03:2021", "cwe_ids": ["CWE-79"], "languages": ["javascript", "typescript"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348037+00:00", "triaged_in_corpus": 12, "observations_count": 255650, "ai_coder_pattern_id": 49}, "scanner": "repobility-threat-engine", "correlation_key": "fp|d85268a35f1c08a2d8a71de73707fe6ef4bd15498d9fa3394e84a1e7d13194a0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/a11y/src/components/VisionSimulator.tsx"}, "region": {"startLine": 64}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any (and 98 more): Same pattern found in 98 additional files. Review if needed."}, "properties": {"repobilityId": 66012, "scanner": "repobility-threat-engine", "fingerprint": "7072fe5ab714422dbf754b85a32b6301991b1649e780bff340ffa90cde36834c", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 98 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|7072fe5ab714422dbf754b85a32b6301991b1649e780bff340ffa90cde36834c", "aggregated_count": 98}}}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 66011, "scanner": "repobility-threat-engine", "fingerprint": "6dece49715422aa75ddcd1b257f66461e6320af1037731157b35d9350d55a72b", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6dece49715422aa75ddcd1b257f66461e6320af1037731157b35d9350d55a72b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/blocks/Controls.tsx"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 66010, "scanner": "repobility-threat-engine", "fingerprint": "b90c069adbd531dcf9f08b718a1b9b317af4f724845d13b793a22046f7af3887", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|b90c069adbd531dcf9f08b718a1b9b317af4f724845d13b793a22046f7af3887"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/blocks/ArgTypes.tsx"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED054", "level": "none", "message": {"text": "[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely."}, "properties": {"repobilityId": 66009, "scanner": "repobility-threat-engine", "fingerprint": "7fdfe0a2b4ace29535b6e7e70b579d4ec57ebd77f32c37d3bf95337eda97a641", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-as-any", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348028+00:00", "triaged_in_corpus": 12, "observations_count": 341218, "ai_coder_pattern_id": 98}, "scanner": "repobility-threat-engine", "correlation_key": "fp|7fdfe0a2b4ace29535b6e7e70b579d4ec57ebd77f32c37d3bf95337eda97a641"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/a11y/src/a11yRunner.ts"}, "region": {"startLine": 48}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed (and 224 more): Same pattern found in 224 additional files. Review if needed."}, "properties": {"repobilityId": 66008, "scanner": "repobility-threat-engine", "fingerprint": "e5af9da44a0e51414087b4e7f63c314747c6fd7acc4283bd426a1a402f8e7c54", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 224 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|e5af9da44a0e51414087b4e7f63c314747c6fd7acc4283bd426a1a402f8e7c54", "aggregated_count": 224}}}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 66007, "scanner": "repobility-threat-engine", "fingerprint": "a3ca80d42c729df15a02c70fa629078f04f353dd01776ec21425a0d676f396eb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|a3ca80d42c729df15a02c70fa629078f04f353dd01776ec21425a0d676f396eb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/a11y/src/components/Report/Report.stories.tsx"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 66006, "scanner": "repobility-threat-engine", "fingerprint": "6c5fbde576b56fdeacdf87cfc45944f896bb69373661ba304ca4ee83763bc943", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6c5fbde576b56fdeacdf87cfc45944f896bb69373661ba304ca4ee83763bc943"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/a11y/src/components/A11YPanel.stories.tsx"}, "region": {"startLine": 40}}}]}, {"ruleId": "MINED052", "level": "none", "message": {"text": "[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety."}, "properties": {"repobilityId": 66005, "scanner": "repobility-threat-engine", "fingerprint": "fad05ead8cbe95c3833b949c613fa67cd9451329dea51877da55a869a5421a38", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-any-typed", "owasp": null, "cwe_ids": ["CWE-704"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348022+00:00", "triaged_in_corpus": 12, "observations_count": 496002, "ai_coder_pattern_id": 97}, "scanner": "repobility-threat-engine", "correlation_key": "fp|fad05ead8cbe95c3833b949c613fa67cd9451329dea51877da55a869a5421a38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/.storybook/isChromatic.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion (and 74 more): Same pattern found in 74 additional files. Review if needed."}, "properties": {"repobilityId": 66004, "scanner": "repobility-threat-engine", "fingerprint": "6ff5465d4609b6292ea53455237d1331dd4b710217934db8608c3a4059ecbf40", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 74 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|6ff5465d4609b6292ea53455237d1331dd4b710217934db8608c3a4059ecbf40", "aggregated_count": 74}}}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 66003, "scanner": "repobility-threat-engine", "fingerprint": "3ac76073050ab485ebfd472aadbf086e0974e5605897cb8869a43230ef745eea", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3ac76073050ab485ebfd472aadbf086e0974e5605897cb8869a43230ef745eea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/blocks/Controls.tsx"}, "region": {"startLine": 68}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 66002, "scanner": "repobility-threat-engine", "fingerprint": "3219f977dc351db65b1b7f4ff01bdcaf889d5ce72bb93fec0771b037f32b6f1a", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3219f977dc351db65b1b7f4ff01bdcaf889d5ce72bb93fec0771b037f32b6f1a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/a11y/template/stories/parameters.stories.ts"}, "region": {"startLine": 154}}}]}, {"ruleId": "MINED045", "level": "none", "message": {"text": "[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong."}, "properties": {"repobilityId": 66001, "scanner": "repobility-threat-engine", "fingerprint": "ce8ad867536ed871c4d4c0e540add2de9d0d7f7a5c7322ddcad252c851a271ee", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ts-non-null-assertion", "owasp": null, "cwe_ids": ["CWE-476"], "languages": ["typescript", "tsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348005+00:00", "triaged_in_corpus": 12, "observations_count": 1810954, "ai_coder_pattern_id": 105}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ce8ad867536ed871c4d4c0e540add2de9d0d7f7a5c7322ddcad252c851a271ee"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/.storybook/isChromatic.ts"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod (and 40 more): Same pattern found in 40 additional files. Review if needed."}, "properties": {"repobilityId": 66000, "scanner": "repobility-threat-engine", "fingerprint": "a5261b46db027b9eb0e9cb7a82a85720baa09d85050d8d1bb17e2c068e0d6b6f", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 40 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|a5261b46db027b9eb0e9cb7a82a85720baa09d85050d8d1bb17e2c068e0d6b6f", "aggregated_count": 40}}}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65999, "scanner": "repobility-threat-engine", "fingerprint": "9a04adc7845d36704c8d5748d9619763b2f5861764cd177e8432fa492b7c781c", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|9a04adc7845d36704c8d5748d9619763b2f5861764cd177e8432fa492b7c781c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/mdx-loader.ts"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65998, "scanner": "repobility-threat-engine", "fingerprint": "3109144462e7df72868d5b65a0fed7fc32bc0f9d2195b9984d5215029773acbc", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|3109144462e7df72868d5b65a0fed7fc32bc0f9d2195b9984d5215029773acbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/minor-release/write-minor-changelog-section.ts"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 65997, "scanner": "repobility-threat-engine", "fingerprint": "bddcaaf00e353a515262a3c54c65102bf2daae846ee517404cc278f1f3596f57", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|bddcaaf00e353a515262a3c54c65102bf2daae846ee517404cc278f1f3596f57"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/minor-release/get-minor-changelog-summary.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC085", "level": "none", "message": {"text": "[SEC085] JS: child_process.exec with non-literal (and 6 more): Same pattern found in 6 additional files. Review if needed."}, "properties": {"repobilityId": 65996, "scanner": "repobility-threat-engine", "fingerprint": "9ad9bf0c265cd321c150a08a072a8e145739f2cd1982875a84041789b62e4bac", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 6 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9ad9bf0c265cd321c150a08a072a8e145739f2cd1982875a84041789b62e4bac"}}}, {"ruleId": "SEC045", "level": "none", "message": {"text": "[SEC045] eval()/exec() on stored or user-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 65992, "scanner": "repobility-threat-engine", "fingerprint": "9a38e81725d4cd7d3858c2dca40b30fff35130f2f83e2579933f8cbdf2284cba", "category": "injection", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC045", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9a38e81725d4cd7d3858c2dca40b30fff35130f2f83e2579933f8cbdf2284cba"}}}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66139, "scanner": "repobility-supply-chain", "fingerprint": "9ce09afe798d6f2162dbac86f49452010d16effc358c21ceb726fa15efbda657", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9ce09afe798d6f2162dbac86f49452010d16effc358c21ceb726fa15efbda657"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 243}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `getsentry/action-release` pinned to mutable ref `@v3`: `uses: getsentry/action-release@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66138, "scanner": "repobility-supply-chain", "fingerprint": "318388fd8c7369493e636b679c93b50c91111a7133389f0e1a6e6bb87d0cd3de", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|318388fd8c7369493e636b679c93b50c91111a7133389f0e1a6e6bb87d0cd3de"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 189}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66137, "scanner": "repobility-supply-chain", "fingerprint": "f13d1a83d1aa6c51b572c050919567a92309d00fdf6268c46cc04f86b3e5b0b9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f13d1a83d1aa6c51b572c050919567a92309d00fdf6268c46cc04f86b3e5b0b9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 52}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66136, "scanner": "repobility-supply-chain", "fingerprint": "599f42f21e6e69a73b8d8dcbe0a36c8a4a2759951600f9a2fe5f670f0ee0af7a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|599f42f21e6e69a73b8d8dcbe0a36c8a4a2759951600f9a2fe5f670f0ee0af7a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-sandboxes.yml"}, "region": {"startLine": 73}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66135, "scanner": "repobility-supply-chain", "fingerprint": "de8b7ae85bf3c31c63ad506d7312d3f55c7c91fa0914cc69c043e4b578b95b21", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|de8b7ae85bf3c31c63ad506d7312d3f55c7c91fa0914cc69c043e4b578b95b21"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/generate-sandboxes.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66134, "scanner": "repobility-supply-chain", "fingerprint": "e1d57c93fa227e032eafdda0f7b870ca7bddbac6cb9f484fd6ecac1119bc79f6", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e1d57c93fa227e032eafdda0f7b870ca7bddbac6cb9f484fd6ecac1119bc79f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prepare-patch-release.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/stale` pinned to mutable ref `@v9`: `uses: actions/stale@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66133, "scanner": "repobility-supply-chain", "fingerprint": "6c7d9a65ebeac95f148d1ed7513a9202e081a98474f5eac76e308c6b74ce6bfc", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6c7d9a65ebeac95f148d1ed7513a9202e081a98474f5eac76e308c6b74ce6bfc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/stale.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66132, "scanner": "repobility-supply-chain", "fingerprint": "0436d37ab49b87f92b1a7c4734a4d619347700fda0c73f721b563f73a3191d3d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0436d37ab49b87f92b1a7c4734a4d619347700fda0c73f721b563f73a3191d3d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fork-checks.yml"}, "region": {"startLine": 53}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66131, "scanner": "repobility-supply-chain", "fingerprint": "2776de5e210e285962e5cbccb9993fd98cbfc2491b5e88598232b5104e3b05c2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2776de5e210e285962e5cbccb9993fd98cbfc2491b5e88598232b5104e3b05c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fork-checks.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66130, "scanner": "repobility-supply-chain", "fingerprint": "85e4fae6ce66a1559eac9d4b2dcdabc0ffb467faaa53d0c455b3f81c316e5ee5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|85e4fae6ce66a1559eac9d4b2dcdabc0ffb467faaa53d0c455b3f81c316e5ee5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/fork-checks.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `gaurav-nelson/github-action-markdown-link-check` pinned to mutable ref `@v1`: `uses: gaurav-nelson/github-action-markdown-link-check@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66129, "scanner": "repobility-supply-chain", "fingerprint": "72adbd114e658c537f895b2b4aa210799201d9ea17fb2adb6453e8a576410960", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|72adbd114e658c537f895b2b4aa210799201d9ea17fb2adb6453e8a576410960"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cron-weekly.yml"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66128, "scanner": "repobility-supply-chain", "fingerprint": "d916a5a1694c4211931b100c4423cfa49374959046092f2837d597cd18a2da4e", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d916a5a1694c4211931b100c4423cfa49374959046092f2837d597cd18a2da4e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cron-weekly.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66127, "scanner": "repobility-supply-chain", "fingerprint": "f3fcfe318beb0633ae87b89a1ffa557f0291494abb8600be2bb45465821acf20", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f3fcfe318beb0633ae87b89a1ffa557f0291494abb8600be2bb45465821acf20"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/handle-release-branches.yml"}, "region": {"startLine": 58}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `notiz-dev/github-action-json-property` pinned to mutable ref `@release`: `uses: notiz-dev/github-action-json-property@release` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66126, "scanner": "repobility-supply-chain", "fingerprint": "38137b82b46af523754e7f2364b3a118992e5a76581f38bd79b522d4e5eb6e11", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|38137b82b46af523754e7f2364b3a118992e5a76581f38bd79b522d4e5eb6e11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/handle-release-branches.yml"}, "region": {"startLine": 42}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66125, "scanner": "repobility-supply-chain", "fingerprint": "34c2c6478eac20425cf4ff6e1156fbb950d81b66545840502d5ff217b0e50387", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|34c2c6478eac20425cf4ff6e1156fbb950d81b66545840502d5ff217b0e50387"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/handle-release-branches.yml"}, "region": {"startLine": 36}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66124, "scanner": "repobility-supply-chain", "fingerprint": "69deec8a9270fe0a4e4298604e8972e9f1f7a0b74bad6c9eee712a0784976f38", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|69deec8a9270fe0a4e4298604e8972e9f1f7a0b74bad6c9eee712a0784976f38"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/handle-release-branches.yml"}, "region": {"startLine": 27}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66123, "scanner": "repobility-supply-chain", "fingerprint": "3a184786c5493229435e902315515992720c8d8df0798dddd8d3f566ea5e044a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3a184786c5493229435e902315515992720c8d8df0798dddd8d3f566ea5e044a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nx.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `nrwl/nx-set-shas` pinned to mutable ref `@v4`: `uses: nrwl/nx-set-shas@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66122, "scanner": "repobility-supply-chain", "fingerprint": "9977d8a51a66f948589c90e2eef48833e0607378246a9f9ca5ec51e10fc2765d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|9977d8a51a66f948589c90e2eef48833e0607378246a9f9ca5ec51e10fc2765d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nx.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66121, "scanner": "repobility-supply-chain", "fingerprint": "2f957f90622fbda6c07d291682a7b8fd412c43334215f40d492fcbb39ae33cc8", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2f957f90622fbda6c07d291682a7b8fd412c43334215f40d492fcbb39ae33cc8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nx.yml"}, "region": {"startLine": 85}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66120, "scanner": "repobility-supply-chain", "fingerprint": "861c6b93d0dea65237b8faa929e1e24c7435d48b70e5430cc953623857ec1ab5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|861c6b93d0dea65237b8faa929e1e24c7435d48b70e5430cc953623857ec1ab5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nx.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66119, "scanner": "repobility-supply-chain", "fingerprint": "c9e87dcdc3de405613490688430ff7644297f5ec3c4906161b191876d2396509", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c9e87dcdc3de405613490688430ff7644297f5ec3c4906161b191876d2396509"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/nx.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `balazsorban44/nissuer` pinned to mutable ref `@1.10.0`: `uses: balazsorban44/nissuer@1.10.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66118, "scanner": "repobility-supply-chain", "fingerprint": "7db4b6a17c96dfb35ce96d8232af1f771744cb923cdf897eb1ac7fe28fa96df2", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|7db4b6a17c96dfb35ce96d8232af1f771744cb923cdf897eb1ac7fe28fa96df2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/triage.yml"}, "region": {"startLine": 21}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66117, "scanner": "repobility-supply-chain", "fingerprint": "ffeba4fd2473ac046437b99c05c5e5190ee9b0a98f427ff9f604da39e7fad858", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ffeba4fd2473ac046437b99c05c5e5190ee9b0a98f427ff9f604da39e7fad858"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/prepare-non-patch-release.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `fjogeleit/http-request-action` pinned to mutable ref `@v1`: `uses: fjogeleit/http-request-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 66116, "scanner": "repobility-supply-chain", "fingerprint": "5042c15c26a03f4e72ca0be89055a5220761006ba7148ac9bc6aba288c09b422", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5042c15c26a03f4e72ca0be89055a5220761006ba7148ac9bc6aba288c09b422"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/trigger-circle-ci-workflow.yml"}, "region": {"startLine": 63}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 66077, "scanner": "repobility-threat-engine", "fingerprint": "dc8c393bb981dbabe1d61b5361cd54ff17a0030d198232f7bb5f8aff4c6034a4", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|dc8c393bb981dbabe1d61b5361cd54ff17a0030d198232f7bb5f8aff4c6034a4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/nextjs/src/font/webpack/loader/local/get-font-face-declarations.ts"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 66076, "scanner": "repobility-threat-engine", "fingerprint": "c72f3405c8fd8f0ce788a7617794a321aa58e8bbb6f16104129fee5ee9eef923", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|c72f3405c8fd8f0ce788a7617794a321aa58e8bbb6f16104129fee5ee9eef923"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/nextjs/src/font/webpack/loader/google/get-font-face-declarations.ts"}, "region": {"startLine": 41}}}]}, {"ruleId": "SEC100", "level": "error", "message": {"text": "[SEC100] CORS permissive Access-Control-Allow-Origin: *: Permissive CORS policy (`*` origin) allows any website to make authenticated cross-origin requests. Especially dangerous when combined with `Access-Control-Allow-Credentials: true`."}, "properties": {"repobilityId": 66065, "scanner": "repobility-threat-engine", "fingerprint": "ad293d8d0d0a96dd20fda5180d74488954309e3aaf8bfd64e10d06ab89343a13", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'Access-Control-Allow-Origin', '*'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC100", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad293d8d0d0a96dd20fda5180d74488954309e3aaf8bfd64e10d06ab89343a13"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/core-server/utils/index-json.ts"}, "region": {"startLine": 68}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 66050, "scanner": "repobility-threat-engine", "fingerprint": "3aacef14176c50407158b578b73dbda87fe3557b4864004b85f5976626033cbc", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(actions", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|3aacef14176c50407158b578b73dbda87fe3557b4864004b85f5976626033cbc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/actions/addArgsHelpers.ts"}, "region": {"startLine": 29}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 66049, "scanner": "repobility-threat-engine", "fingerprint": "ad22741af5ef5cac0d7706b1c22166268b652c5ebd3efa562e0fab3038eadd11", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(globalsList", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ad22741af5ef5cac0d7706b1c22166268b652c5ebd3efa562e0fab3038eadd11"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/builders/builder-vite/src/plugins/storybook-external-globals-plugin.ts"}, "region": {"startLine": 59}}}]}, {"ruleId": "SEC083", "level": "error", "message": {"text": "[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) \u2014 variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0)."}, "properties": {"repobilityId": 66048, "scanner": "repobility-threat-engine", "fingerprint": "97ca4c00db2093b09336b1bbb3ed996c50f4bac75b4facd62b2950ed82787c6d", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "new RegExp(pseudoStatesPattern", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC083", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|97ca4c00db2093b09336b1bbb3ed996c50f4bac75b4facd62b2950ed82787c6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/preview/rewriteStyleSheet.ts"}, "region": {"startLine": 10}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 66041, "scanner": "repobility-threat-engine", "fingerprint": "fda46bb1334d24e3007eaf5e626ff428bc10107d0612588b17eb41e0fce561ba", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": ".innerHTML = `\n      <style>\n        button {\n          font-family: \"Nunito Sans\", \"Helvetica Neue\"", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fda46bb1334d24e3007eaf5e626ff428bc10107d0612588b17eb41e0fce561ba"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/stories/ShadowRoot.tsx"}, "region": {"startLine": 12}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 66040, "scanner": "repobility-threat-engine", "fingerprint": "c64612d063c39f5b08d45813cb79425b430f72b7c80cdf5d6631640d7ba75c1c", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((s) => `.pseudo-${s}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|c64612d063c39f5b08d45813cb79425b430f72b7c80cdf5d6631640d7ba75c1c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/pseudo-states/src/preview/rewriteStyleSheet.ts"}, "region": {"startLine": 46}}}]}, {"ruleId": "SEC040", "level": "error", "message": {"text": "[SEC040] innerHTML XSS \u2014 template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline."}, "properties": {"repobilityId": 66039, "scanner": "repobility-threat-engine", "fingerprint": "fc4c375d1cc730889ea8267b1a3eb5c14eea76e0b53c5a48277867a70c9f0e92", "category": "xss", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "map((item) => `${item[0]}=${item[1]}", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC040", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|fc4c375d1cc730889ea8267b1a3eb5c14eea76e0b53c5a48277867a70c9f0e92"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/links/src/utils.ts"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 66037, "scanner": "repobility-threat-engine", "fingerprint": "7f12634793f966fcce3f3cc5c961c5d8658d92dcdf0617eaca534f55c6389bc9", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "src.update(startPosition, endPosition, transformedImport);", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7f12634793f966fcce3f3cc5c961c5d8658d92dcdf0617eaca534f55c6389bc9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/builders/builder-vite/src/plugins/storybook-external-globals-plugin.ts"}, "region": {"startLine": 108}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 66036, "scanner": "repobility-threat-engine", "fingerprint": "e0e8459e076ee278b099587c7b5058319d346a44ceab8a615c6229c46e1e9159", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "tocbot.destroy();", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|e0e8459e076ee278b099587c7b5058319d346a44ceab8a615c6229c46e1e9159"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/components/TableOfContents.tsx"}, "region": {"startLine": 200}}}]}, {"ruleId": "SEC128", "level": "error", "message": {"text": "[SEC128] Async function without await \u2014 fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work completes \u2014 DB writes lost, emails not sent, race conditions. This is one of the top-3 errors AI coders make: they understand async-shape but drop the await keyword when chaining multiple ops. Surfaces as flaky tests or silently dropped data in production."}, "properties": {"repobilityId": 66035, "scanner": "repobility-threat-engine", "fingerprint": "ebb2e9ad6e0b530fb582482ddf47306c6cf3a24a9157ab67565808afb869dc78", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "Promise.all(", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC128", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|ebb2e9ad6e0b530fb582482ddf47306c6cf3a24a9157ab67565808afb869dc78"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/blocks/useStory.ts"}, "region": {"startLine": 25}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 66029, "scanner": "repobility-threat-engine", "fingerprint": "d6c76c0720aecf7d979f725f2fe9bfaa568bb290664db15c0ece50ec3b984b15", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(o", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|d6c76c0720aecf7d979f725f2fe9bfaa568bb290664db15c0ece50ec3b984b15"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/scripts/generate-source-files.ts"}, "region": {"startLine": 160}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 66028, "scanner": "repobility-threat-engine", "fingerprint": "24be0658b8e8bb4243b763bd6dfc1ce52488a8d19ca22c4554cbcc1eb78563cd", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(u", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|24be0658b8e8bb4243b763bd6dfc1ce52488a8d19ca22c4554cbcc1eb78563cd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/controls/Files.tsx"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 66027, "scanner": "repobility-threat-engine", "fingerprint": "2a8419db064e87141447824c3c6e42661840af00def57a430fa48fe5cb9d041e", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(g", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2a8419db064e87141447824c3c6e42661840af00def57a430fa48fe5cb9d041e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/addons/docs/src/blocks/blocks/DocsContainer.tsx"}, "region": {"startLine": 43}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65995, "scanner": "repobility-threat-engine", "fingerprint": "b9a818b3a70de61089456182aaf62c4bb6fbf2d3ff6410dff6a6cefd432675ff", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(args", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|b9a818b3a70de61089456182aaf62c4bb6fbf2d3ff6410dff6a6cefd432675ff"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/client-logger/index.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65994, "scanner": "repobility-threat-engine", "fingerprint": "5a2609e5f22b13332503d18b3ec8d981c1059bf7a4e5291c5f32b161b4b14825", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5a2609e5f22b13332503d18b3ec8d981c1059bf7a4e5291c5f32b161b4b14825"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/.storybook/bench/bench.stories.tsx"}, "region": {"startLine": 34}}}]}, {"ruleId": "SEC085", "level": "error", "message": {"text": "[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0)."}, "properties": {"repobilityId": 65993, "scanner": "repobility-threat-engine", "fingerprint": "cca1b60957d205c5d5d7ee0166301adcca0ae375a9cb4269359c4d06fc7815c2", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "exec(content", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC085", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|cca1b60957d205c5d5d7ee0166301adcca0ae375a9cb4269359c4d06fc7815c2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".agents/skills/minor-release/get-minor-changelog-summary.ts"}, "region": {"startLine": 49}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66150, "scanner": "repobility-supply-chain", "fingerprint": "466e6d2298a737b9710f978ab1f5dc9f63f3ef6d3d27a9efad43e8f5d7fae828", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|466e6d2298a737b9710f978ab1f5dc9f63f3ef6d3d27a9efad43e8f5d7fae828"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 299}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66149, "scanner": "repobility-supply-chain", "fingerprint": "848701a175bd9d3a1962d1768e7bf991f6f4c22ec28ca22478bc5498194786e4", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|848701a175bd9d3a1962d1768e7bf991f6f4c22ec28ca22478bc5498194786e4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 272}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NX_CLOUD_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NX_CLOUD_ACCESS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66148, "scanner": "repobility-supply-chain", "fingerprint": "6eaeaf8d06c97643adb6d8cf9d7c96a90ef70145709a08c73c959beb940b6371", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6eaeaf8d06c97643adb6d8cf9d7c96a90ef70145709a08c73c959beb940b6371"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 265}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66147, "scanner": "repobility-supply-chain", "fingerprint": "07966c452ab1bd0e7203788925d38f75f03dd7479b943daa3fdd30454e1f2e83", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|07966c452ab1bd0e7203788925d38f75f03dd7479b943daa3fdd30454e1f2e83"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 247}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66146, "scanner": "repobility-supply-chain", "fingerprint": "25a361b3edd2fdc16c9379956b3cb80c79137f7a7f09a4111009167a67df20e0", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25a361b3edd2fdc16c9379956b3cb80c79137f7a7f09a4111009167a67df20e0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 226}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.DISCORD_MONITORING_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DISCORD_MONITORING_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66145, "scanner": "repobility-supply-chain", "fingerprint": "cc220d5cd1f95ba4cd6f9163732cdf48e843548d9810264cc8e4ee141ac69fa9", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|cc220d5cd1f95ba4cd6f9163732cdf48e843548d9810264cc8e4ee141ac69fa9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 201}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_PROJECT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_PROJECT }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66144, "scanner": "repobility-supply-chain", "fingerprint": "faf4c973e5d174fe56a3b4d8fe4a86b5b9dd8075416390f766e3bcf51e64b08f", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|faf4c973e5d174fe56a3b4d8fe4a86b5b9dd8075416390f766e3bcf51e64b08f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 193}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_ORG` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_ORG }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66143, "scanner": "repobility-supply-chain", "fingerprint": "ba7750a0c13a8b21ae9fdc80be6ad64df16a12ca9120b05e070642bd853257d6", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ba7750a0c13a8b21ae9fdc80be6ad64df16a12ca9120b05e070642bd853257d6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66142, "scanner": "repobility-supply-chain", "fingerprint": "12b70727de78d73a311b830161f64a85e620f0bc2558956a913c2370f5c8b843", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|12b70727de78d73a311b830161f64a85e620f0bc2558956a913c2370f5c8b843"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 191}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.NX_CLOUD_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NX_CLOUD_ACCESS_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66141, "scanner": "repobility-supply-chain", "fingerprint": "29ca6c8ec12e52cea7ed23638eea42222b16006b1bb050ce416215821daf09ae", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|29ca6c8ec12e52cea7ed23638eea42222b16006b1bb050ce416215821daf09ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 108}}}]}, {"ruleId": "MINED116", "level": "error", "message": {"text": "[MINED116] Workflow uses `secrets.GH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context)."}, "properties": {"repobilityId": 66140, "scanner": "repobility-supply-chain", "fingerprint": "6624f5f1468760566d764f652b6324c2bb15457ae64eb12e534991c7170d1eab", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-pull-request-secrets", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6624f5f1468760566d764f652b6324c2bb15457ae64eb12e534991c7170d1eab"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/publish.yml"}, "region": {"startLine": 55}}}]}, {"ruleId": "SEC009", "level": "error", "message": {"text": "[SEC009] .env File Committed: .env file with secrets committed to repository."}, "properties": {"repobilityId": 66078, "scanner": "repobility-threat-engine", "fingerprint": "5d2991e6b2f00e4b61d743d1035228f1df1aa036f7a4897f3fc085baaab5fc55", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": ".env file exists in repository root", "evidence": {"reason": ".env file exists in repository root", "rule_id": "SEC009", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d2991e6b2f00e4b61d743d1035228f1df1aa036f7a4897f3fc085baaab5fc55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env"}, "region": {"startLine": 1}}}]}, {"ruleId": "MINED035", "level": "error", "message": {"text": "[MINED035] Js New Function: new Function(...) compiles strings to functions."}, "properties": {"repobilityId": 66075, "scanner": "repobility-threat-engine", "fingerprint": "f30b1f33a269509ad9cc788ef39d841abdb9fe989ab370d6323b5cd2624ef5a3", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-new-function", "owasp": null, "cwe_ids": ["CWE-95"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347980+00:00", "triaged_in_corpus": 20, "observations_count": 2547, "ai_coder_pattern_id": 104}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f30b1f33a269509ad9cc788ef39d841abdb9fe989ab370d6323b5cd2624ef5a3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/angular/src/server/framework-preset-angular-ivy.ts"}, "region": {"startLine": 28}}}]}, {"ruleId": "MINED019", "level": "error", "message": {"text": "[MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) \u2014 full RCE via templates."}, "properties": {"repobilityId": 66070, "scanner": "repobility-threat-engine", "fingerprint": "ec650d4e200fbdb5781445b4bbc11eed19e0644ea20c9ca5e028cf11e9b6013a", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "ssti-jinja-from-string", "owasp": "A03:2021", "cwe_ids": ["CWE-94"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347943+00:00", "triaged_in_corpus": 20, "observations_count": 47984, "ai_coder_pattern_id": 34}, "scanner": "repobility-threat-engine", "correlation_key": "fp|ec650d4e200fbdb5781445b4bbc11eed19e0644ea20c9ca5e028cf11e9b6013a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/angular/src/client/angular-beta/ComputesTemplateFromComponent.ts"}, "region": {"startLine": 77}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 66068, "scanner": "repobility-threat-engine", "fingerprint": "541fb7d02452b68b03d633e6eb2e762d76cf1ba1de6e46d6ea645bf4ddc5ced2", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(filepath", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|541fb7d02452b68b03d633e6eb2e762d76cf1ba1de6e46d6ea645bf4ddc5ced2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/nextjs-vite/src/find-postcss-config.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 66067, "scanner": "repobility-threat-engine", "fingerprint": "dcff2c0c575603c975628d594bddb639621f2971227dcf6a2e90f8d92e9fd2f6", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(`${", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dcff2c0c575603c975628d594bddb639621f2971227dcf6a2e90f8d92e9fd2f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/frameworks/ember/src/client/preview/render.ts"}, "region": {"startLine": 16}}}]}, {"ruleId": "SEC084", "level": "error", "message": {"text": "[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules \u2014 equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0)."}, "properties": {"repobilityId": 66066, "scanner": "repobility-threat-engine", "fingerprint": "9ddbce0264b6e5a093c56ed9926f6161afec56d810e4fbf8fa0328df5a2adeb8", "category": "quality", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "require(path", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC084", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|9ddbce0264b6e5a093c56ed9926f6161afec56d810e4fbf8fa0328df5a2adeb8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "code/core/src/shared/utils/module.ts"}, "region": {"startLine": 89}}}]}, {"ruleId": "CORE_ENV_FILE", "level": "error", "message": {"text": ".env file committed to repository"}, "properties": {"repobilityId": 65988, "scanner": "repobility-core", "fingerprint": "23cf83b5b9ef2fbf14bfabb5febcb625a2b459499bad568b550a990d3c7e1f81", "category": "security", "severity": "critical", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_ENV_FILE", "scanner": "repobility-core", "correlation_key": "fp|23cf83b5b9ef2fbf14bfabb5febcb625a2b459499bad568b550a990d3c7e1f81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env"}, "region": {"startLine": 1}}}]}]}]}