https://github.com/github/copilot-sdk ·
lang: java ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED116 GHA pull_request workflow leaks secrets to forks |
critical | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED111 Bare except continues silently |
medium | 25 |
MINED071 Go Panic Call |
info | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC013 Path Traversal — User Input in File Path |
high | 4 |
MINED016 Go Error Ignored |
high | 3 |
MINED003 Rust Unwrap In Prod |
high | 3 |
MINED107
Missing Python import (NameError at runtime)
CWE-1075
python/e2e/test_session_fs_e2e.py:333
· conf 1.00
[MINED107] Missing import: `stat` used but not imported: The file uses `stat.something(...)` but never imports `stat`. This raises NameError at runtime the first time the line executes.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/dotnet-sdk-tests.yml:85
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_DEVELOPER_CLI_INTEGRATION_HMAC_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/go-sdk-tests.yml:83
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_DEVELOPER_CLI_INTEGRATION_HMAC_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/java-codegen-check.yml:112
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/java-codegen-check.yml:196
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/nodejs-sdk-tests.yml:80
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_DEVELOPER_CLI_INTEGRATION_HMAC_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/python-sdk-tests.yml:91
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_DEVELOPER_CLI_INTEGRATION_HMAC_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/rust-sdk-tests.yml:122
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_DEVELOPER_CLI_INTEGRATION_HMAC_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:146
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:424
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:426
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:442
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOK…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:443
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:675
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:791
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:802
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:854
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:855
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:856
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOK…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:1035
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOK…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:1052
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOK…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:1067
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOK…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:1082
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOK…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:1119
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOK…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:1267
· conf 0.90
[MINED116] Workflow uses `secrets.COPILOT_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.COPILOT_GITHUB…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/sdk-consistency-review.lock.yml:1405
· conf 0.90
[MINED116] Workflow uses `secrets.GH_AW_GITHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GH_AW_GITHUB_TOK…AGT003
User-editable role instructions are inserted into the system prompt
nodejs/src/generated/session-events.ts:463
· conf 0.80
User-editable role instructions are inserted into the system promptAGT003
User-editable role instructions are inserted into the system prompt
python/copilot/generated/session_events.py:6878
· conf 0.80
User-editable role instructions are inserted into the system promptMINED003
Rust Unwrap In Prod
CWE-755
rust/src/canvas.rs:217
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
rust/src/permission.rs:182
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
rust/src/subscription.rs:247
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED006
Overcatch Baseexception
CWE-705
python/samples/chat.py:52
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED016
Go Error Ignored
CWE-754
go/internal/embeddedcli/embeddedcli.go:142
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED016
Go Error Ignored
CWE-754
go/internal/jsonrpc2/frame.go:90
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED016
Go Error Ignored
CWE-754
go/samples/manual_tool_resume/main.go:122
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_client.py:249
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_url_format: Test function `test_invalid_url_format` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_client.py:253
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_port_too_high: Test function `test_invalid_port_too_high` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_client.py:257
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_port_zero: Test function `test_invalid_port_zero` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_client.py:261
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_port_negative: Test function `test_invalid_port_negative` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_client.py:271
· conf 1.00
[MINED106] Phantom test coverage: test_missing_initial_cwd: Test function `test_missing_initial_cwd` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_client.py:283
· conf 1.00
[MINED106] Phantom test coverage: test_missing_session_state_path: Test function `test_missing_session_state_path` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_client.py:1309
· conf 1.00
[MINED106] Phantom test coverage: test_aexit_calls_stop: Test function `test_aexit_calls_stop` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_client.py:1326
· conf 1.00
[MINED106] Phantom test coverage: test_aexit_calls_disconnect: Test function `test_aexit_calls_disconnect` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_commands_and_elicitation.py:358
· conf 1.00
[MINED106] Phantom test coverage: test_elicitation_throws_when_capability_is_missing: Test function `test_elicitation_throws_when_capability_is_missing` runs code but contains no assert / expect / sh…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_commands_and_elicitation.py:385
· conf 1.00
[MINED106] Phantom test coverage: test_confirm_throws_when_capability_is_missing: Test function `test_confirm_throws_when_capability_is_missing` runs code but contains no assert / expect / should cal…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_event_forward_compatibility.py:85
· conf 1.00
[MINED106] Phantom test coverage: test_malformed_uuid_raises_error: Test function `test_malformed_uuid_raises_error` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_event_forward_compatibility.py:99
· conf 1.00
[MINED106] Phantom test coverage: test_malformed_timestamp_raises_error: Test function `test_malformed_timestamp_raises_error` runs code but contains no assert / expect / should call — it passes rega…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_jsonrpc.py:138
· conf 1.00
[MINED106] Phantom test coverage: test_read_exact_empty_stream_raises_eof: Test function `test_read_exact_empty_stream_raises_eof` runs code but contains no assert / expect / should call — it passes …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_jsonrpc.py:150
· conf 1.00
[MINED106] Phantom test coverage: test_read_exact_partial_data_raises_eof: Test function `test_read_exact_partial_data_raises_eof` runs code but contains no assert / expect / should call — it passes …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_telemetry.py:33
· conf 1.00
[MINED106] Phantom test coverage: test_yields_without_error_when_no_traceparent: Test function `test_yields_without_error_when_no_traceparent` runs code but contains no assert / expect / should call …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_telemetry.py:38
· conf 1.00
[MINED106] Phantom test coverage: test_yields_without_error_when_otel_not_installed: Test function `test_yields_without_error_when_otel_not_installed` runs code but contains no assert / expect / shou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_telemetry.py:51
· conf 1.00
[MINED106] Phantom test coverage: test_yields_without_error_with_traceparent: Test function `test_yields_without_error_with_traceparent` runs code but contains no assert / expect / should call — it p…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_telemetry.py:57
· conf 1.00
[MINED106] Phantom test coverage: test_yields_without_error_with_tracestate: Test function `test_yields_without_error_with_tracestate` runs code but contains no assert / expect / should call — it pas…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_tool_set.py:56
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_bad_name: Test function `test_rejects_bad_name` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_tool_set.py:60
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_empty: Test function `test_rejects_empty` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_tool_set.py:64
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_colon: Test function `test_rejects_colon` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_tool_set.py:75
· conf 1.00
[MINED106] Phantom test coverage: test_empty_mode_requires_storage: Test function `test_empty_mode_requires_storage` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_tool_set.py:84
· conf 1.00
[MINED106] Phantom test coverage: test_empty_mode_accepts_base_directory: Test function `test_empty_mode_accepts_base_directory` runs code but contains no assert / expect / should call — it passes re…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_tool_set.py:92
· conf 1.00
[MINED106] Phantom test coverage: test_empty_mode_accepts_session_fs: Test function `test_empty_mode_accepts_session_fs` runs code but contains no assert / expect / should call — it passes regardless…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/test_tool_set.py:100
· conf 1.00
[MINED106] Phantom test coverage: test_empty_mode_accepts_uri_connection: Test function `test_empty_mode_accepts_uri_connection` runs code but contains no assert / expect / should call — it passes re…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:443
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:446
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:449
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:452
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:455
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:458
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:461
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:464
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:467
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:470
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:473
· conf 1.00
[MINED108] `self._exc` used but never assigned in __init__: Method `test_sessionfsprovider_converts_exceptions_to_rpc_errors` of class `TestSessionFs` reads `self._exc`, but no assignment to it exist…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:563
· conf 1.00
[MINED108] `self._path` used but never assigned in __init__: Method `read_file` of class `_TestSessionFsProvider` reads `self._path`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:566
· conf 1.00
[MINED108] `self._path` used but never assigned in __init__: Method `write_file` of class `_TestSessionFsProvider` reads `self._path`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:571
· conf 1.00
[MINED108] `self._path` used but never assigned in __init__: Method `append_file` of class `_TestSessionFsProvider` reads `self._path`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:577
· conf 1.00
[MINED108] `self._path` used but never assigned in __init__: Method `exists` of class `_TestSessionFsProvider` reads `self._path`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:580
· conf 1.00
[MINED108] `self._path` used but never assigned in __init__: Method `stat` of class `_TestSessionFsProvider` reads `self._path`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:592
· conf 1.00
[MINED108] `self._path` used but never assigned in __init__: Method `mkdir` of class `_TestSessionFsProvider` reads `self._path`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:599
· conf 1.00
[MINED108] `self._path` used but never assigned in __init__: Method `readdir` of class `_TestSessionFsProvider` reads `self._path`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/e2e/test_session_fs_e2e.py:603
· conf 1.00
[MINED108] `self._path` used but never assigned in __init__: Method `readdir_with_types` of class `_TestSessionFsProvider` reads `self._path`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/test_jsonrpc.py:178
· conf 1.00
[MINED108] `self.create_jsonrpc_message` used but never assigned in __init__: Method `test_read_message_small_payload` of class `TestReadMessageWithLargePayloads` reads `self.create_jsonrpc_message`,…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/test_jsonrpc.py:199
· conf 1.00
[MINED108] `self.create_jsonrpc_message` used but never assigned in __init__: Method `test_read_message_large_payload_70kb` of class `TestReadMessageWithLargePayloads` reads `self.create_jsonrpc_mess…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/test_jsonrpc.py:221
· conf 1.00
[MINED108] `self.create_jsonrpc_message` used but never assigned in __init__: Method `test_read_message_large_payload_100kb` of class `TestReadMessageWithLargePayloads` reads `self.create_jsonrpc_mes…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/test_jsonrpc.py:239
· conf 1.00
[MINED108] `self.create_jsonrpc_message` used but never assigned in __init__: Method `test_read_message_exactly_64kb_content` of class `TestReadMessageWithLargePayloads` reads `self.create_jsonrpc_me…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/test_jsonrpc.py:256
· conf 1.00
[MINED108] `self.create_jsonrpc_message` used but never assigned in __init__: Method `test_read_message_multiple_messages_in_sequence` of class `TestReadMessageWithLargePayloads` reads `self.create_j…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/test_jsonrpc.py:257
· conf 1.00
[MINED108] `self.create_jsonrpc_message` used but never assigned in __init__: Method `test_read_message_multiple_messages_in_sequence` of class `TestReadMessageWithLargePayloads` reads `self.create_j…MINED110
Blocking call inside async function
CWE-833
python/samples/chat.py:35
· conf 1.00
[MINED110] Blocking call `input` inside async function `main`: `input` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing every other coroutine …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/copilot-setup-steps.yml:28
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/copilot-setup-steps.yml:32
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/copilot-setup-steps.yml:43
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/copilot-setup-steps.yml:49
· conf 0.90
[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/copilot-setup-steps.yml:55
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/copilot-setup-steps.yml:61
· conf 0.90
[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/corrections-tests.yml:21
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/corrections-tests.yml:22
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:28
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:29
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:53
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:54
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:58
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:64
· conf 0.90
[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:86
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:87
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:91
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v6`: `uses: actions/setup-go@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:110
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:111
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:115
· conf 0.90
[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:137
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:138
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-validation.yml:142
· conf 0.90
[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/nodejs-sdk-tests.yml:48
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6.0.2`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/nodejs-sdk-tests.yml:49
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED122
package.json dep pulled from git URL or tarball
CWE-829
nodejs/samples/package.json:1
· conf 0.90
[MINED122] package.json dep `@github/copilot-sdk` pulled from URL/Git: `dependencies.@github/copilot-sdk` = `file:..` bypasses the npm registry. No integrity hash, no version locking, no registry-sid…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
go/samples/go.mod:17
· conf 0.90
[MINED128] go.mod replaces `github.com/github/copilot-sdk/go` — points to a LOCAL path: `replace github.com/github/copilot-sdk/go => ../` overrides the canonical dependency with a different source (p…SEC013
Path Traversal — User Input in File Path
go/canvas.go:95
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC013
Path Traversal — User Input in File Path
python/copilot/canvas.py:152
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC013
Path Traversal — User Input in File Path
rust/src/canvas.rs:229
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
java/src/main/java/com/github/copilot/rpc/ElicitationContext.java:108
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
java/src/main/java/com/github/copilot/rpc/McpHttpServerConfig.java:69
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
java/src/main/java/com/github/copilot/rpc/ProviderConfig.java:143
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC085
JS: child_process.exec with non-literal
python/scripts/build-wheels.mjs:111
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).AGT013
Agent auto-approve or skip-permissions mode is easy to enable
.github/workflows/java-smoke-test.yml:77
· conf 0.68
Agent auto-approve or skip-permissions mode is easy to enableMINED111
Bare except continues silently
python/copilot/session_fs_provider.py:171
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:179
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:186
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:193
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:206
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:226
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:233
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:241
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:255
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:262
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session_fs_provider.py:303
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session.py:1658
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/session.py:1709
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/copilot/tools.py:218
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_client_options_e2e.py:275
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_pending_work_resume_e2e.py:126
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_permissions_e2e.py:460
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_rpc_mcp_and_skills_e2e.py:342
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_rpc_remote_e2e.py:52
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_rpc_remote_e2e.py:67
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_rpc_session_state_e2e.py:528
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_rpc_workspace_checkpoints_e2e.py:127
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_session_fs_e2e.py:64
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_session_fs_sqlite_e2e.py:211
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/e2e/test_suspend_e2e.py:75
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC012
ZipSlip — Archive Path Traversal
python/scripts/build-wheels.mjs:258
· conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.AIC003
Duplicated implementation block across source files
java/src/main/java/com/github/copilot/rpc/ResumeSessionRequest.java:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
rust/src/session_fs_dispatch.rs:22
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
python/copilot/_mode.py:139
· conf 0.95
[COMP001] High cognitive complexity: Function `_system_message_for_mode` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understa…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
python/copilot/_mode.py:261
· conf 0.95
[COMP001] High cognitive complexity: Function `_post_create_options_patch` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to under…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
python/samples/chat.py:15
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
go/internal/flock/flock.go:13
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
go/mode_empty.go:262
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.SEC132
String concat where the language has interpolation (AI style drift)
java/src/main/java/com/github/copilot/rpc/ToolSet.java:112
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
nodejs/examples/basic-example.ts:8
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
nodejs/samples/chat.ts:17
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
nodejs/samples/manual-tool-resume.ts:28
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED060
Go Context No Cancel
CWE-401
go/samples/chat.go:18
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED060
Go Context No Cancel
CWE-401
go/samples/manual_tool_resume/main.go:103
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED062
Python Dataclass No Fields
python/copilot/canvas.py:47
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
python/copilot/session_fs_provider.py:44
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED064
Python Input Call
python/samples/chat.py:35
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED066
Rust Panic Macro
CWE-755
rust/src/subscription.rs:268
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED071
Go Panic Call
CWE-755
[MINED071] Go Panic Call (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED071
Go Panic Call
CWE-755
go/definetool.go:217
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
go/internal/embeddedcli/embeddedcli.go:36
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
go/mode_empty.go:35
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.SEC013
Path Traversal — User Input in File Path
[SEC013] Path Traversal — User Input in File Path (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/5ef0a980-c2f9-417c-a367-43c5f959e224/.