https://github.com/Shopify/polaris-react.git ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 26 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
MINED054 Ts As Any |
info | 4 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 4 |
MINED056 React Key As Index |
info | 4 |
MINED057 Todo Bomb |
info | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC083 JS: new RegExp() with non-literal |
high | 4 |
MINED018
Unsafe Deserialization Pickle
CWE-502
.eslintrc.js:6
· conf 1.00
[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.MINED018
Unsafe Deserialization Pickle
CWE-502
polaris.shopify.com/src/utils/markdown.mjs:9
· conf 1.00
[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci-a11y-vrt.yml:166
· conf 0.90
[MINED116] Workflow uses `secrets.CHROMATIC_PROJECT_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CHROMATIC_P…SEC079
Python: yaml.load without SafeLoader
.eslintrc.js:6
· conf 1.00
[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-…SEC079
Python: yaml.load without SafeLoader
polaris.shopify.com/src/utils/markdown.mjs:9
· conf 1.00
[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-…SEC116
Ruby YAML.load / Marshal.load on untrusted input
.eslintrc.js:6
· conf 1.00
[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dang…SEC116
Ruby YAML.load / Marshal.load on untrusted input
polaris.shopify.com/src/utils/markdown.mjs:9
· conf 1.00
[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dang…MINED004
Weak Crypto
CWE-327
polaris.shopify.com/pages/api/tokens/v0/[tokens].tsx:92
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cla.yml:19
· conf 0.90
[MINED115] Action `Shopify/shopify-cla-action` pinned to mutable ref `@v1`: `uses: Shopify/shopify-cla-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/snapit.yml:22
· conf 0.90
[MINED115] Action `Shopify/snapit` pinned to mutable ref `@v0.0.14`: `uses: Shopify/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
polaris-react/src/components/Form/Form.stories.tsx:62
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
polaris.shopify.com/pages/api/tokens/v0/index.tsx:84
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
polaris.shopify.com/pages/_app.tsx:60
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
polaris-migrator/src/cli.ts:73
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
polaris-react/src/components/Image/Image.tsx:25
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
polaris-tokens/scripts/toStyleSheet.ts:53
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
polaris-migrator/src/utilities/imports.ts:32
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
polaris-migrator/src/utilities/matches.ts:69
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
polaris-react/src/components/Picker/Picker.tsx:53
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
polaris-react/config/rollup/namespaced-classname.mjs:16
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
polaris-react/config/rollup/plugin-styles.js:182
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
polaris-react/src/components/Picker/Picker.tsx:164
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC114
path.join / Path() on user-controlled segment without containment check
polaris-migrator/src/utilities/check.ts:51
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
polaris-react/src/utilities/breakpoints.ts:158
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
polaris.shopify.com/pages/examples/combobox-with-multi-select-and-vertical-content.tsx:35
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
polaris.shopify.com/pages/_app.tsx:30
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC007
Unsafe Deserialization
.eslintrc.js:6
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC007
Unsafe Deserialization
polaris-icons/rollup.config.mjs:28
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC007
Unsafe Deserialization
polaris.shopify.com/src/utils/markdown.mjs:9
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
polaris-react/src/components/IndexTable/components/Row/Row.tsx:177
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
polaris-react/config/rollup/namespaced-classname.mjs:16
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
polaris-react/config/rollup/plugin-styles.js:182
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
polaris-react/src/components/Picker/Picker.tsx:164
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC046
Client-side open redirect — window.location = server-supplied URL
polaris.shopify.com/src/components/InterstitialModal/InterstitialModal.tsx:199
· conf 1.00
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
polaris-react/src/components/Tag/Tag.stories.tsx:68
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
polaris.shopify.com/pages/examples/data-table-with-all-of-its-elements.tsx:12
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
polaris.shopify.com/pages/examples/data-table-with-fixed-first-columns.tsx:15
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC136
AI-typical over-broad exception handler swallowing all errors
polaris.shopify.com/playroom/FrameComponent.tsx:44
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…AIC003
Duplicated implementation block across source files
polaris-migrator/jest.config.js:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/BulkActions/components/BulkActionsMeasurer/BulkActionsMeasurer.tsx:32
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/BulkActions/components/BulkActionsMeasurer/BulkActionsMeasurer.tsx:61
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/ColorPicker/components/HuePicker/HuePicker.tsx:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Combobox/Combobox.stories.tsx:17
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/LegacyCard/LegacyCard.stories.tsx:373
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Modal/Modal.stories.tsx:36
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Picker/components/SearchField/SearchField.tsx:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Picker/Picker.tsx:99
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Popover/Popover.stories.tsx:407
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/SelectAllActions/SelectAllActions.tsx:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Sheet/Sheet.stories.tsx:166
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Sheet/Sheet.stories.tsx:322
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Tabs/components/List/List.tsx:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Tabs/components/Panel/Panel.tsx:4
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Tabs/components/Tab/components/DuplicateModal/DuplicateModal.tsx:101
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Tabs/components/Tab/components/RenameModal/RenameModal.tsx:48
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Tabs/components/Tab/components/RenameModal/RenameModal.tsx:100
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Tabs/components/TabMeasurer/TabMeasurer.tsx:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Tabs/Tabs.tsx:306
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Tabs/utilities.ts:4
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/Toast/Toast.stories.tsx:221
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/TopBar/TopBar.tsx:86
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/UnstyledButton/UnstyledButton.tsx:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/VideoThumbnail/VideoThumbnail.stories.tsx:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
polaris-react/src/components/VideoThumbnail/VideoThumbnail.stories.tsx:34
· conf 0.86
Duplicated implementation block across source filesAUC005
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.SEC006
XSS Risk
polaris-react/.storybook/RenderPerformanceProfiler/RenderPerformanceProfiler.tsx:31
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.MINED043
Http Not Https
CWE-319
polaris-react/src/components/Icon/Icon.stories.tsx:160
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
polaris.shopify.com/pages/examples/icon-with-custom-svg.tsx:7
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
polaris.shopify.com/scripts/gen-site-map.ts:22
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 72 more): Same pattern found in 72 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
polaris-migrator/src/migrate.ts:46
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
polaris-react/src/components/ActionList/ActionList.stories.tsx:54
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
polaris-react/.storybook/RenderPerformanceProfiler/RenderPerformanceProfiler.tsx:47
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 13 more): Same pattern found in 13 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
polaris-migrator/src/utilities/imports.ts:51
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
polaris-migrator/src/utilities/jsx.ts:178
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
polaris-react/playground/KitchenSink.tsx:32
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 35 more): Same pattern found in 35 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
polaris-migrator/src/migrate.ts:71
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
polaris-migrator/src/utilities/check.ts:10
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
polaris-migrator/src/utilities/jsx.ts:170
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
[MINED054] Ts As Any (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED054
Ts As Any
CWE-704
polaris-react/src/components/ThemeProvider/ThemeProvider.tsx:22
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
polaris-react/src/utilities/merge.ts:33
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
polaris.shopify.com/src/components/CodesandboxButton/CodesandboxButton.tsx:55
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED056
React Key As Index
CWE-682
[MINED056] React Key As Index (and 15 more): Same pattern found in 15 additional files. Review if needed.MINED056
React Key As Index
CWE-682
polaris-react/src/components/BulkActions/BulkActions.tsx:246
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
polaris-react/src/components/BulkActions/components/BulkActionsMeasurer/BulkActionsMeasurer.tsx:70
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
polaris-react/src/components/ButtonGroup/ButtonGroup.tsx:45
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED057
Todo Bomb
[MINED057] Todo Bomb (and 8 more): Same pattern found in 8 additional files. Review if needed.MINED057
Todo Bomb
polaris-react/src/components/BulkActions/BulkActions.stories.tsx:16
· conf 1.00
[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — left for later but never resolved.MINED057
Todo Bomb
polaris.shopify.com/pages/examples/index-table-with-bulk-actions-and-selection-across-pages.tsx:83
· conf 1.00
[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — left for later but never resolved.MINED057
Todo Bomb
polaris.shopify.com/pages/examples/index-table-with-bulk-actions.tsx:83
· conf 1.00
[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — left for later but never resolved.MINED058
React Dangerously Set Html
CWE-79
polaris-react/src/components/TextField/components/Resizer/Resizer.tsx:42
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
polaris.shopify.com/pages/_app.tsx:78
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 17 more): Same pattern found in 17 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 26 more): Same pattern found in 26 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC083
JS: new RegExp() with non-literal
[SEC083] JS: new RegExp() with non-literal (and 18 more): Same pattern found in 18 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code (and 4 more): Same pattern found in 4 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/35d5e407-be21-4f07-a11b-d74b3c497e35/.