{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "DKR002", "name": "Compose service `maildev` image has no explicit tag", "shortDescription": {"text": "Compose service `maildev` image has no explicit tag"}, "fullDescription": {"text": "Pin the image to a supported version tag or digest, for example python:3.13-slim or image@sha256:..."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC015", "name": "Database service has no healthcheck", "shortDescription": {"text": "Database service has no healthcheck"}, "fullDescription": {"text": "Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.88, "cwe": "", "owasp": ""}}, {"id": "DKC007", "name": "Compose service contains a literal secret environment value", "shortDescription": {"text": "Compose service contains a literal secret environment value"}, "fullDescription": {"text": "Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC013", "name": "Database service has no persistent data volume", "shortDescription": {"text": "Database service has no persistent data volume"}, "fullDescription": {"text": "Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.74, "cwe": "", "owasp": ""}}, {"id": "DKR003", "name": "Compose service `redis-insight` image uses the latest tag", "shortDescription": {"text": "Compose service `redis-insight` image uses the latest tag"}, "fullDescription": {"text": "Pin to a maintained version tag or digest and update it deliberately through dependency automation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.94, "cwe": "", "owasp": ""}}, {"id": "DKR001", "name": "Docker final stage has no non-root USER", "shortDescription": {"text": "Docker final stage has no non-root USER"}, "fullDescription": {"text": "Add a non-root USER in the final runtime stage after files and permissions are prepared."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.82, "cwe": "", "owasp": ""}}, {"id": "DKR015", "name": "Docker build context is very large", "shortDescription": {"text": "Docker build context is very large"}, "fullDescription": {"text": "Shrink the build context with .dockerignore, move generated/runtime data outside the build context, and copy only the manifest files needed for cached dependency layers."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "medium", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "SEC134", "name": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left ", "shortDescription": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets"}, "fullDescription": {"text": "Move dummy values to fixtures / seed files. In application code, require these to come from config or fail closed. Add a CI grep that rejects 'lorem ipsum' and 'example.com' outside test files."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "medium", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_LARGE_FILES", "name": "Average file size is 742 lines (recommend <300)", "shortDescription": {"text": "Average file size is 742 lines (recommend <300)"}, "fullDescription": {"text": "Refactor large files by extracting related functions into separate modules. Target files with 300+ lines first. Use the Single Responsibility Principle \u2014 each module should have one clear purpose."}, "properties": {"scanner": "repobility-core", "category": "quality", "severity": "medium", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "DKC010", "name": "Compose service lacks no-new-privileges hardening", "shortDescription": {"text": "Compose service lacks no-new-privileges hardening"}, "fullDescription": {"text": "Add `security_opt: [\"no-new-privileges:true\"]` unless the service has a documented need for privilege escalation."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.62, "cwe": "", "owasp": ""}}, {"id": "DKC006", "name": "Compose service does not declare a runtime user", "shortDescription": {"text": "Compose service does not declare a runtime user"}, "fullDescription": {"text": "Set a non-root `user:` in Compose or ensure the final image stage has a non-root USER directive."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.56, "cwe": "", "owasp": ""}}, {"id": "DKC016", "name": "App service does not wait for database health", "shortDescription": {"text": "App service does not wait for database health"}, "fullDescription": {"text": "Give the database a healthcheck and change the dependency to `depends_on: { db: { condition: service_healthy } }`."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.68, "cwe": "", "owasp": ""}}, {"id": "DKC017", "name": "Database password is wired through an environment variable placeholder", "shortDescription": {"text": "Database password is wired through an environment variable placeholder"}, "fullDescription": {"text": "Prefer Compose secrets or your platform secret manager with *_FILE variables where the image supports them. Rotate only if a real value was committed."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.58, "cwe": "", "owasp": ""}}, {"id": "DKR008", "name": ".dockerignore misses sensitive defaults", "shortDescription": {"text": ".dockerignore misses sensitive defaults"}, "fullDescription": {"text": "Add missing patterns such as .env, .git, private keys, certificates, dependency folders, and local databases."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "low", "confidence": 0.72, "cwe": "", "owasp": ""}}, {"id": "AIC003", "name": "Duplicated implementation block across source files", "shortDescription": {"text": "Duplicated implementation block across source files"}, "fullDescription": {"text": "Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used."}, "properties": {"scanner": "repobility-ai-code-hygiene", "category": "quality", "severity": "low", "confidence": 0.86, "cwe": "", "owasp": ""}}, {"id": "SEC061", "name": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from", "shortDescription": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "fullDescription": {"text": "If the JWT is live, invalidate by rotating the signing key. Move tokens out of source."}, "properties": {"scanner": "repobility-threat-engine", "category": "secret", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED053", "name": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeh", "shortDescription": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-1392,CWE-798 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED048", "name": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.", "shortDescription": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-755 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "MINED004", "name": "[MINED004] Weak Crypto (and 8 more): Same pattern found in 8 additional files. Review if needed.", "shortDescription": {"text": "[MINED004] Weak Crypto (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "SEC029", "name": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additi", "shortDescription": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "fullDescription": {"text": "Validate the URL against an allowlist BEFORE fetching:\n  ALLOWED = {'images.example.com', 'cdn.example.com'}\n  host = urlparse(url).hostname\n  if host not in ALLOWED: abort(400)\nOr use a server-side proxy (Imgproxy / serve-files-only-from-S3) that isolates outbound network access from the request handler.\nBlock private CIDRs explicitly: 10/8, 172.16/12, 192.168/16, 169.254/16."}, "properties": {"scanner": "repobility-threat-engine", "category": "ssrf", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED043", "name": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.", "shortDescription": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-319 / A02:2021 for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 0.2, "cwe": "", "owasp": ""}}, {"id": "MINED044", "name": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.", "shortDescription": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "fullDescription": {"text": "Review and fix per the pattern semantics. See CWE-532 /  for context."}, "properties": {"scanner": "repobility-threat-engine", "category": "quality", "severity": "info", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "SEC020", "name": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequen", "shortDescription": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "fullDescription": {"text": "Log only redacted, hashed, or last-four-style metadata. Rotate any secret that may have reached logs."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "cwe": "", "owasp": ""}}, {"id": "MINED115", "name": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. T", "shortDescription": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantl"}, "fullDescription": {"text": "Replace with: `uses: actions/cache@<40-char-sha>  # v4` and let Dependabot bump it on a scheduled cadence."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "MINED118", "name": "[MINED118] Dockerfile FROM `appwrite/base:0.10.6` not pinned by digest: `FROM appwrite/base:0.10.6` resolves the tag at ", "shortDescription": {"text": "[MINED118] Dockerfile FROM `appwrite/base:0.10.6` not pinned by digest: `FROM appwrite/base:0.10.6` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Produc"}, "fullDescription": {"text": "Replace with: `FROM appwrite/base:0.10.6@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot)."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC011", "name": "Database service publishes a host port", "shortDescription": {"text": "Database service publishes a host port"}, "fullDescription": {"text": "Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "high", "confidence": 0.84, "cwe": "", "owasp": ""}}, {"id": "CORE_NO_TESTS", "name": "No test files found", "shortDescription": {"text": "No test files found"}, "fullDescription": {"text": "Add a test directory (tests/ or __tests__/) with unit tests for core functionality. Use pytest (Python), Jest (JS/TS), or go test (Go). Start with tests for critical business logic and security-sensitive functions."}, "properties": {"scanner": "repobility-core", "category": "testing", "severity": "high", "confidence": null, "cwe": "", "owasp": ""}}, {"id": "MINED123", "name": "[MINED123] Trojan Source bidi character (RLM) in source: Line 54 contains a Unicode bidirectional override character (U+", "shortDescription": {"text": "[MINED123] Trojan Source bidi character (RLM) in source: Line 54 contains a Unicode bidirectional override character (U+200F RLM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see diffe"}, "fullDescription": {"text": "Audit the line manually. If the character is not intentional (it almost never is in code), remove it. Configure your editor / pre-commit hook to reject bidi controls in source."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "critical", "confidence": 0.9, "cwe": "", "owasp": ""}}, {"id": "DKC008", "name": "Compose service mounts the Docker socket", "shortDescription": {"text": "Compose service mounts the Docker socket"}, "fullDescription": {"text": "Avoid mounting docker.sock. Use a narrow proxy, rootless build service, or provider-native deployment credentials."}, "properties": {"scanner": "repobility-docker", "category": "docker", "severity": "critical", "confidence": 0.98, "cwe": "", "owasp": ""}}, {"id": "SEC009", "name": "[SEC009] .env File Committed: .env file with secrets committed to repository.", "shortDescription": {"text": "[SEC009] .env File Committed: .env file with secrets committed to repository."}, "fullDescription": {"text": "Add .env to .gitignore. Rotate all exposed credentials."}, "properties": {"scanner": "repobility-threat-engine", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "cwe": "", "owasp": ""}}, {"id": "CORE_ENV_FILE", "name": ".env file committed to repository", "shortDescription": {"text": ".env file committed to repository"}, "fullDescription": {"text": "Remove .env from version control: git rm --cached .env. Add '.env' to .gitignore. Rotate all exposed credentials."}, "properties": {"scanner": "repobility-core", "category": "security", "severity": "critical", "confidence": null, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/913"}, "properties": {"repository": "appwrite/appwrite", "repoUrl": "https://github.com/appwrite/appwrite", "branch": "main"}, "results": [{"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `maildev` image has no explicit tag"}, "properties": {"repobilityId": 85664, "scanner": "repobility-docker", "fingerprint": "520e18c72c46a0e0497e3d07fa934f143a04b01fc99dcd603902531cdca2e40e", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "djfarrelly/maildev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|520e18c72c46a0e0497e3d07fa934f143a04b01fc99dcd603902531cdca2e40e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 324}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 85663, "scanner": "repobility-docker", "fingerprint": "509894bf76b70bcd21f3b0fc0221cd0cfe0c58ae2e4a9fa141f5a2100821f2a5", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|509894bf76b70bcd21f3b0fc0221cd0cfe0c58ae2e4a9fa141f5a2100821f2a5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 306}}}]}, {"ruleId": "DKC007", "level": "warning", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 85661, "scanner": "repobility-docker", "fingerprint": "c503ff0627e33014852669d59264f9ee84ea27988af0aff3d656fe0620fb2a33", "category": "docker", "severity": "medium", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal, but this Compose file is under a test/example/local path and needs human confirmation before treating it as production exposure.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "mariadb", "variable": "MYSQL_ROOT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "reference_or_local", "correlation_key": "fp|c503ff0627e33014852669d59264f9ee84ea27988af0aff3d656fe0620fb2a33", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 306}}}]}, {"ruleId": "DKC013", "level": "warning", "message": {"text": "Database service has no persistent data volume"}, "properties": {"repobilityId": 85621, "scanner": "repobility-docker", "fingerprint": "c8cf76cfb74adfadc571f0a19dde5d0b4d9951f9de73c8ff140eda8e0894f19d", "category": "docker", "severity": "medium", "confidence": 0.74, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service does not mount a known data directory.", "evidence": {"rule_id": "DKC013", "scanner": "repobility-docker", "service": "redis-insight", "references": ["https://docs.docker.com/engine/storage/volumes/"], "correlation_key": "fp|c8cf76cfb74adfadc571f0a19dde5d0b4d9951f9de73c8ff140eda8e0894f19d", "expected_targets": ["/data"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1185}}}]}, {"ruleId": "DKR003", "level": "warning", "message": {"text": "Compose service `redis-insight` image uses the latest tag"}, "properties": {"repobilityId": 85619, "scanner": "repobility-docker", "fingerprint": "e224d6cc23ca602113372677012a369f4332c3bdb8bfceb105a3ebe908f42b3c", "category": "docker", "severity": "medium", "confidence": 0.94, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image tag is latest.", "evidence": {"image": "redis/redisinsight:latest", "rule_id": "DKR003", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e224d6cc23ca602113372677012a369f4332c3bdb8bfceb105a3ebe908f42b3c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1185}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `adminer` image has no explicit tag"}, "properties": {"repobilityId": 85615, "scanner": "repobility-docker", "fingerprint": "33363370a6f901b116bacf3f6b543da52c441fbe9b2315bd7a5577bdfe03cbed", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "adminer", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|33363370a6f901b116bacf3f6b543da52c441fbe9b2315bd7a5577bdfe03cbed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1152}}}]}, {"ruleId": "DKC015", "level": "warning", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 85605, "scanner": "repobility-docker", "fingerprint": "504eeb8da6e17d5c90cfdd6f289a83b81c99856e116b7f2adae896c5fda5aa6d", "category": "docker", "severity": "medium", "confidence": 0.88, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|504eeb8da6e17d5c90cfdd6f289a83b81c99856e116b7f2adae896c5fda5aa6d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1051}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-task-scheduler-messages` image has no explicit tag"}, "properties": {"repobilityId": 85602, "scanner": "repobility-docker", "fingerprint": "b5199ef52df2f03f1521c57c00776ba91026ca7cd4959da11fac5b3a3cda99f8", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|b5199ef52df2f03f1521c57c00776ba91026ca7cd4959da11fac5b3a3cda99f8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 935}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-task-scheduler-executions` image has no explicit tag"}, "properties": {"repobilityId": 85601, "scanner": "repobility-docker", "fingerprint": "8e459fc141bea485daf115dff0e3f4fea0727df1b85613f7b2eff5e322b61814", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8e459fc141bea485daf115dff0e3f4fea0727df1b85613f7b2eff5e322b61814"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 908}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-task-scheduler-functions` image has no explicit tag"}, "properties": {"repobilityId": 85600, "scanner": "repobility-docker", "fingerprint": "1648ab3dd52da8cec522b16fa55aacee65a8adde162e7362a4c48d1e308f7780", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1648ab3dd52da8cec522b16fa55aacee65a8adde162e7362a4c48d1e308f7780"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 880}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-stats-usage` image has no explicit tag"}, "properties": {"repobilityId": 85599, "scanner": "repobility-docker", "fingerprint": "71a226e82699d03ef054b45e08aa26c19a12ad08f55dbf64a9f6d2f6609affe3", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|71a226e82699d03ef054b45e08aa26c19a12ad08f55dbf64a9f6d2f6609affe3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 849}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-stats-resources` image has no explicit tag"}, "properties": {"repobilityId": 85598, "scanner": "repobility-docker", "fingerprint": "1c3b3f57171dcce7b291e01ed40a4903e22ad61986e732c6e81eccadae7f39ce", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|1c3b3f57171dcce7b291e01ed40a4903e22ad61986e732c6e81eccadae7f39ce"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 818}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-task-stats-resources` image has no explicit tag"}, "properties": {"repobilityId": 85597, "scanner": "repobility-docker", "fingerprint": "daf63ae9daf988872c7e3a473816a10e00ddb95667163c42337df6dd0abc6c54", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|daf63ae9daf988872c7e3a473816a10e00ddb95667163c42337df6dd0abc6c54"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 787}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-task-maintenance` image has no explicit tag"}, "properties": {"repobilityId": 85596, "scanner": "repobility-docker", "fingerprint": "5f30912156555170817748215a1d353680e7f34ba2210a65de0b5185e2841fb0", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|5f30912156555170817748215a1d353680e7f34ba2210a65de0b5185e2841fb0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 744}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-migrations` image has no explicit tag"}, "properties": {"repobilityId": 85595, "scanner": "repobility-docker", "fingerprint": "23acc2f5f548eb764fa4d8868a8177411f647cc15a77bc5c2397c351f8fbdd98", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|23acc2f5f548eb764fa4d8868a8177411f647cc15a77bc5c2397c351f8fbdd98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 702}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-messaging` image has no explicit tag"}, "properties": {"repobilityId": 85594, "scanner": "repobility-docker", "fingerprint": "8ad53b0a8d18c269bd062764cd09cd0c8074332511959e5b358db593d47a58e7", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8ad53b0a8d18c269bd062764cd09cd0c8074332511959e5b358db593d47a58e7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 647}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-mails` image has no explicit tag"}, "properties": {"repobilityId": 85593, "scanner": "repobility-docker", "fingerprint": "73c08df452db951e4fdbb2c53461c611d676a2ee9f9d4d5c54c140231698d0ac", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|73c08df452db951e4fdbb2c53461c611d676a2ee9f9d4d5c54c140231698d0ac"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 613}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-functions` image has no explicit tag"}, "properties": {"repobilityId": 85592, "scanner": "repobility-docker", "fingerprint": "a790f248c7be6c21b90616f9428a2a4495701858c4a04b0767dba6fad063cce2", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a790f248c7be6c21b90616f9428a2a4495701858c4a04b0767dba6fad063cce2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 570}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-certificates` image has no explicit tag"}, "properties": {"repobilityId": 85591, "scanner": "repobility-docker", "fingerprint": "13a55468c0a9840825ae1481677d4225f5d16db5ecf27f0bfa5f7285da29ea51", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|13a55468c0a9840825ae1481677d4225f5d16db5ecf27f0bfa5f7285da29ea51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 531}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-builds` image has no explicit tag"}, "properties": {"repobilityId": 85590, "scanner": "repobility-docker", "fingerprint": "eceff1f880df7ac84fe16c5f6d303e678cffb6af9e17a5fbf87f1cc4caaa6b8f", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|eceff1f880df7ac84fe16c5f6d303e678cffb6af9e17a5fbf87f1cc4caaa6b8f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 457}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-databases` image has no explicit tag"}, "properties": {"repobilityId": 85589, "scanner": "repobility-docker", "fingerprint": "6c326a54da8ebadeeb3ca4b105fe0a50803f902e75e245090d883adf06d1cdf1", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|6c326a54da8ebadeeb3ca4b105fe0a50803f902e75e245090d883adf06d1cdf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 426}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-deletes` image has no explicit tag"}, "properties": {"repobilityId": 85588, "scanner": "repobility-docker", "fingerprint": "8de842f1216f09555e7ebb3accd980ea2715f6c1af3d5f5fe0e926518d1db6ae", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8de842f1216f09555e7ebb3accd980ea2715f6c1af3d5f5fe0e926518d1db6ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 363}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-webhooks` image has no explicit tag"}, "properties": {"repobilityId": 85587, "scanner": "repobility-docker", "fingerprint": "febbc06cfac00e0708c66e1e89c622419a121c9440a83c03312783402d6d840c", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|febbc06cfac00e0708c66e1e89c622419a121c9440a83c03312783402d6d840c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 330}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-worker-audits` image has no explicit tag"}, "properties": {"repobilityId": 85586, "scanner": "repobility-docker", "fingerprint": "8687efee9625bc163cf926ea0dd1e14ab3d4d7fe0846176ec082398661a8c048", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|8687efee9625bc163cf926ea0dd1e14ab3d4d7fe0846176ec082398661a8c048"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 301}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite-realtime` image has no explicit tag"}, "properties": {"repobilityId": 85582, "scanner": "repobility-docker", "fingerprint": "a7030810a41549c12676ee247951179279afb4995a74f54ff44c18ef621e61dc", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|a7030810a41549c12676ee247951179279afb4995a74f54ff44c18ef621e61dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 251}}}]}, {"ruleId": "DKR002", "level": "warning", "message": {"text": "Compose service `appwrite` image has no explicit tag"}, "properties": {"repobilityId": 85577, "scanner": "repobility-docker", "fingerprint": "7866a690d591bfc777865c7776cb2d56b0201ba219ce0f9ce74df7214ce55a77", "category": "docker", "severity": "medium", "confidence": 0.9, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Image reference has no tag or digest.", "evidence": {"image": "appwrite-dev", "rule_id": "DKR002", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/scout/policy/", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|7866a690d591bfc777865c7776cb2d56b0201ba219ce0f9ce74df7214ce55a77"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1228}}}]}, {"ruleId": "DKR001", "level": "warning", "message": {"text": "Docker final stage has no non-root USER"}, "properties": {"repobilityId": 85574, "scanner": "repobility-docker", "fingerprint": "e7c3e570992a8a79495bbef39a1f57988ed5f6b2cb8278544c031815f81e74e2", "category": "docker", "severity": "medium", "confidence": 0.82, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "No USER directive was found in the final runtime stage.", "evidence": {"rule_id": "DKR001", "scanner": "repobility-docker", "final_base": "base", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html", "https://github.com/hadolint/hadolint"], "correlation_key": "fp|e7c3e570992a8a79495bbef39a1f57988ed5f6b2cb8278544c031815f81e74e2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 105}}}]}, {"ruleId": "DKR015", "level": "warning", "message": {"text": "Docker build context is very large"}, "properties": {"repobilityId": 85573, "scanner": "repobility-docker", "fingerprint": "b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b", "category": "docker", "severity": "medium", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Estimated Docker build context exceeds Repobility's size or file-count threshold.", "evidence": {"capped": false, "rule_id": "DKR015", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "largest_paths": [{"path": "tests/resources/disk-a/large-file.mp4", "size_mb": 22.6}, {"path": "tests/resources/longtext.txt", "size_mb": 11.6}, {"path": "app/assets/dbip/dbip-country-lite-2025-12.mmdb", "size_mb": 7.0}, {"path": "tests/resources/functions/large/blue.mp4", "size_mb": 6.8}, {"path": "public/images/sponsorship.svg", "size_mb": 3.5}], "included_files": 48309, "context_size_mb": 182.5, "correlation_key": "fp|b15d4f710afeff2af4cd4ab204332853f9025b78869a0e87bb466a798bb1a15b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 85537, "scanner": "repobility-threat-engine", "fingerprint": "593c053f94cfc985168bc97241a5a412a1e24ee94d54df036f3f7bdcd01e04ea", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'John Doe'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|593c053f94cfc985168bc97241a5a412a1e24ee94d54df036f3f7bdcd01e04ea"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Utopia/Response/Model/Log.php"}, "region": {"startLine": 35}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 85536, "scanner": "repobility-threat-engine", "fingerprint": "2866ecf4fd5cf73950de0bcffa9e0d28fae74146bdefa1389afc52e1b3a00762", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'user@example.com'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|2866ecf4fd5cf73950de0bcffa9e0d28fae74146bdefa1389afc52e1b3a00762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Utopia/Response/Model/Identity.php"}, "region": {"startLine": 53}}}]}, {"ruleId": "SEC134", "level": "warning", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't know real values; the human then forgets to swap them. In production, these break demo flows, send mail to a real example.com host (it's owned by IANA), and leak that the codebase had an AI scaffolding pass."}, "properties": {"repobilityId": 85535, "scanner": "repobility-threat-engine", "fingerprint": "dfb05068484cff00299bf150ebc7093949cb4c956611ae60c49188e7952852e1", "category": "quality", "severity": "medium", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "'John Doe'", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|dfb05068484cff00299bf150ebc7093949cb4c956611ae60c49188e7952852e1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Utopia/Response/Model/Document.php"}, "region": {"startLine": 110}}}]}, {"ruleId": "CORE_LARGE_FILES", "level": "warning", "message": {"text": "Average file size is 742 lines (recommend <300)"}, "properties": {"repobilityId": 85518, "scanner": "repobility-core", "fingerprint": "26e7ef11470d257723a3c73ec48da976dfd331b8db7011083ea892e4de0b2cb8", "category": "quality", "severity": "medium", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_LARGE_FILES", "scanner": "repobility-core", "correlation_key": "fp|26e7ef11470d257723a3c73ec48da976dfd331b8db7011083ea892e4de0b2cb8"}}}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 85667, "scanner": "repobility-docker", "fingerprint": "a42e8ce7d2b1656b67611a6edc5cfc7ca405d674f9cbd99cf713da1d9be84bf4", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a42e8ce7d2b1656b67611a6edc5cfc7ca405d674f9cbd99cf713da1d9be84bf4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 343}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85666, "scanner": "repobility-docker", "fingerprint": "7feda30ff13bba20804b1f0184c93a86e4f68eb00820d29ae731c36bd47d9a19", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "maildev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|7feda30ff13bba20804b1f0184c93a86e4f68eb00820d29ae731c36bd47d9a19"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 324}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85665, "scanner": "repobility-docker", "fingerprint": "2c8595e93131eb94f09ced21d77e0d34a6715072e32b43c2ca3bf660511b6904", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "maildev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2c8595e93131eb94f09ced21d77e0d34a6715072e32b43c2ca3bf660511b6904"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 324}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85660, "scanner": "repobility-docker", "fingerprint": "caba36c7bf334e1525b11f8ceebaebe2d84a9bebcf167450ba1786afa8518bdc", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-schedule", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|caba36c7bf334e1525b11f8ceebaebe2d84a9bebcf167450ba1786afa8518bdc", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 291}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85659, "scanner": "repobility-docker", "fingerprint": "6c868a4346e67deb9185ce0d3a1e814a3c8957f555435999ce313d078464137f", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-schedule", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6c868a4346e67deb9185ce0d3a1e814a3c8957f555435999ce313d078464137f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 291}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85658, "scanner": "repobility-docker", "fingerprint": "85c0b2c1978ae28b9b85f7213471e4c7cfb19e1f0ee67ebccd3a731037ae86d7", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-schedule", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|85c0b2c1978ae28b9b85f7213471e4c7cfb19e1f0ee67ebccd3a731037ae86d7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 291}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85657, "scanner": "repobility-docker", "fingerprint": "a8368243330fc5de6248ba6182f1374025da50008d8245e3fd3fe488bfee0a3a", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-worker-builds", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|a8368243330fc5de6248ba6182f1374025da50008d8245e3fd3fe488bfee0a3a", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 263}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85656, "scanner": "repobility-docker", "fingerprint": "6539f6e0ff45053d39ad2048f55c96875cf960022b5c271308f7425d8b9da548", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-worker-builds", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6539f6e0ff45053d39ad2048f55c96875cf960022b5c271308f7425d8b9da548"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 263}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85655, "scanner": "repobility-docker", "fingerprint": "b45f5b90429ea139a18ea53df2acde6f0a2f53ca187ffa60037127c615d49a1f", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-worker-builds", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b45f5b90429ea139a18ea53df2acde6f0a2f53ca187ffa60037127c615d49a1f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 263}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85654, "scanner": "repobility-docker", "fingerprint": "dd29bddfd48ead82077f29633deee1f44f2bcf445db9e6da971d9ff06864577d", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-worker-mails", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|dd29bddfd48ead82077f29633deee1f44f2bcf445db9e6da971d9ff06864577d", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85653, "scanner": "repobility-docker", "fingerprint": "089b478a2ec06c6019880bbd5e098bd0933dcdadff82db4eacefad325fb5f549", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-worker-mails", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|089b478a2ec06c6019880bbd5e098bd0933dcdadff82db4eacefad325fb5f549"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85652, "scanner": "repobility-docker", "fingerprint": "2475f6b737374b639604caa6e703daf7e2b2957cb6605deb4da78950c21d8600", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-worker-mails", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2475f6b737374b639604caa6e703daf7e2b2957cb6605deb4da78950c21d8600"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 244}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85651, "scanner": "repobility-docker", "fingerprint": "b87fe7a19aed57955c4733770acaa2aea2e06b3c3a6112ae3310df47379cd1da", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-worker-functions", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|b87fe7a19aed57955c4733770acaa2aea2e06b3c3a6112ae3310df47379cd1da", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 214}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85650, "scanner": "repobility-docker", "fingerprint": "1c484166b577150fb8f41e2e3cc0660eddab1e4d129f40f8349c71421716b0fb", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-worker-functions", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1c484166b577150fb8f41e2e3cc0660eddab1e4d129f40f8349c71421716b0fb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 214}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85648, "scanner": "repobility-docker", "fingerprint": "6e6a5d7bd46d197a4954f2306b936f7d7bbc7bf0133f67e90b4f32e59a70c231", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-worker-functions", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|6e6a5d7bd46d197a4954f2306b936f7d7bbc7bf0133f67e90b4f32e59a70c231"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 214}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85647, "scanner": "repobility-docker", "fingerprint": "f62a23c77b584ef7fd3e0872aad7089d2d7bf75ea9ad2b9265b710f6823f5cd7", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-worker-certificates", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|f62a23c77b584ef7fd3e0872aad7089d2d7bf75ea9ad2b9265b710f6823f5cd7", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85646, "scanner": "repobility-docker", "fingerprint": "98fe989805d9f35d324ef108991be69d54a16ec9e607ab596b7c57dc7e6c8ff8", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-worker-certificates", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|98fe989805d9f35d324ef108991be69d54a16ec9e607ab596b7c57dc7e6c8ff8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85645, "scanner": "repobility-docker", "fingerprint": "f48845615b178e6fbea915ec27a11f63494de58225ef522dbf3e7f89a5d2e63a", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-worker-certificates", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|f48845615b178e6fbea915ec27a11f63494de58225ef522dbf3e7f89a5d2e63a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 190}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85644, "scanner": "repobility-docker", "fingerprint": "2351c985143b06b55c2b47cec053e47444a98fd44b13eb88434332edd7fb72aa", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-worker-deletes", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|2351c985143b06b55c2b47cec053e47444a98fd44b13eb88434332edd7fb72aa", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85643, "scanner": "repobility-docker", "fingerprint": "e1b295da392f11ce1ce9b1b801d003866f80e3f617988e07f3df072c3bf3c4dd", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-worker-deletes", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|e1b295da392f11ce1ce9b1b801d003866f80e3f617988e07f3df072c3bf3c4dd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85642, "scanner": "repobility-docker", "fingerprint": "60aa1813dec4947f0fc0ce8b8f510dfac8611b9380a51f0dca33373fb7e34cb3", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-worker-deletes", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|60aa1813dec4947f0fc0ce8b8f510dfac8611b9380a51f0dca33373fb7e34cb3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 165}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85641, "scanner": "repobility-docker", "fingerprint": "673c19beec8e9e323d9d8cd22246e10365af91339bb847269bef595fe5a884ad", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-worker-tasks", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|673c19beec8e9e323d9d8cd22246e10365af91339bb847269bef595fe5a884ad", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85640, "scanner": "repobility-docker", "fingerprint": "ac09499e11722b8fce2c0ff95a01598a263fda406e475e36d9b43760cdfc61cf", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-worker-tasks", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ac09499e11722b8fce2c0ff95a01598a263fda406e475e36d9b43760cdfc61cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85639, "scanner": "repobility-docker", "fingerprint": "cb3090ea711d70da3e74478bcc10b784d59d9caf264bcbbda9e328041a7230a1", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-worker-tasks", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|cb3090ea711d70da3e74478bcc10b784d59d9caf264bcbbda9e328041a7230a1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 144}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85638, "scanner": "repobility-docker", "fingerprint": "8a9386f7c83a344ca4f64aa4b33861326e68c233cedb31d9ee319b1e3502b1f3", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-worker-webhooks", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|8a9386f7c83a344ca4f64aa4b33861326e68c233cedb31d9ee319b1e3502b1f3", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85637, "scanner": "repobility-docker", "fingerprint": "fc86cf166c60cf878a375c48991e9695832c6666cb947b445aac0e3ee1c42097", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-worker-webhooks", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fc86cf166c60cf878a375c48991e9695832c6666cb947b445aac0e3ee1c42097"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85636, "scanner": "repobility-docker", "fingerprint": "1dea3b840614ec1707c8ca7a649c3f83231ab323360179f2b6ea474dda2fe53e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-worker-webhooks", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1dea3b840614ec1707c8ca7a649c3f83231ab323360179f2b6ea474dda2fe53e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 123}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85635, "scanner": "repobility-docker", "fingerprint": "df2e074ac851f911331822d47a373857c240a216212cf0c81675374474528da1", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-worker-audits", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|df2e074ac851f911331822d47a373857c240a216212cf0c81675374474528da1", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85634, "scanner": "repobility-docker", "fingerprint": "88deccfdba26a91bcc2eedae924352c2cf45213bf9f4ee0d6bc4d058dab2889c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-worker-audits", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|88deccfdba26a91bcc2eedae924352c2cf45213bf9f4ee0d6bc4d058dab2889c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85633, "scanner": "repobility-docker", "fingerprint": "ea51d208edb007f01bddedf07b5d7c0a13945809e00d566669af452f41fb2614", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-worker-audits", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ea51d208edb007f01bddedf07b5d7c0a13945809e00d566669af452f41fb2614"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 102}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85632, "scanner": "repobility-docker", "fingerprint": "bbd2243efd8976487ea669d13765da99afe617bf214095c655f0b4a693a851e6", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-worker-stats-usage", "dependency": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|bbd2243efd8976487ea669d13765da99afe617bf214095c655f0b4a693a851e6", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85631, "scanner": "repobility-docker", "fingerprint": "fb9b9f37db26f70cd8e0a64e0e6606da1226dd0fb18d0228cb2e9e7ce7380a74", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-worker-stats-usage", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fb9b9f37db26f70cd8e0a64e0e6606da1226dd0fb18d0228cb2e9e7ce7380a74"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85630, "scanner": "repobility-docker", "fingerprint": "9863effd186b370249939b8b2430b5a6a2d50e70080bfbba48560f2bf9dc3de5", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-worker-stats-usage", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9863effd186b370249939b8b2430b5a6a2d50e70080bfbba48560f2bf9dc3de5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 87}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85629, "scanner": "repobility-docker", "fingerprint": "87717689678b038f468dc68ff1f273c2adcf407a1c03c938464166bf55b5c0c5", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite", "dependency": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|87717689678b038f468dc68ff1f273c2adcf407a1c03c938464166bf55b5c0c5", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 354}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85628, "scanner": "repobility-docker", "fingerprint": "3723670d831f2b60e3e23cdd20a3049f4bc5a30b6eb89eb7219ce65bc4950a68", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3723670d831f2b60e3e23cdd20a3049f4bc5a30b6eb89eb7219ce65bc4950a68"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 354}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85626, "scanner": "repobility-docker", "fingerprint": "2f850a5a435799b7c3d753921f5640a6a972654d4f9f8f28943881d4716265c8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2f850a5a435799b7c3d753921f5640a6a972654d4f9f8f28943881d4716265c8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 354}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85624, "scanner": "repobility-docker", "fingerprint": "964592e4040cec1e936a53e7a94c0c40edae971a90bfc703314110abcda42ff2", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "graphql-explorer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|964592e4040cec1e936a53e7a94c0c40edae971a90bfc703314110abcda42ff2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1212}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85623, "scanner": "repobility-docker", "fingerprint": "0902841ff1310f3e989937442468f78af359e2e9daf3eab3ddb45da30a52b40e", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "graphql-explorer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0902841ff1310f3e989937442468f78af359e2e9daf3eab3ddb45da30a52b40e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1212}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 85622, "scanner": "repobility-docker", "fingerprint": "eca3f7784d3689a4c2b479652b51d5eb999f5c497a336028b4d73b891c3d8cca", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis-insight", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|eca3f7784d3689a4c2b479652b51d5eb999f5c497a336028b4d73b891c3d8cca"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1185}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85618, "scanner": "repobility-docker", "fingerprint": "2377b2f00f07435e4a851b8135fb8ceff0826f39eea6d44ea21ed553bfe26ec5", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|2377b2f00f07435e4a851b8135fb8ceff0826f39eea6d44ea21ed553bfe26ec5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1152}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85616, "scanner": "repobility-docker", "fingerprint": "fc5281203846b9e76957d1a1dcd96156e679734adce26791936ed3c99f1f54f2", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "adminer", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fc5281203846b9e76957d1a1dcd96156e679734adce26791936ed3c99f1f54f2"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1152}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85614, "scanner": "repobility-docker", "fingerprint": "fe483eb1f765460899d8afa495828546848d9e212461535b3962dd5983ea20ec", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "request-catcher-sms", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|fe483eb1f765460899d8afa495828546848d9e212461535b3962dd5983ea20ec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1143}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85613, "scanner": "repobility-docker", "fingerprint": "3d7f82b62fb7caecd175149c1001253f7b4c70dbdcc0d0b5bedf0d60a92baeef", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "request-catcher-sms", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|3d7f82b62fb7caecd175149c1001253f7b4c70dbdcc0d0b5bedf0d60a92baeef"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1143}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85612, "scanner": "repobility-docker", "fingerprint": "30e1b10117d5c75bde855407f4c748a9cf63cacbdad228882159adbcda569d9a", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "request-catcher-webhook", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|30e1b10117d5c75bde855407f4c748a9cf63cacbdad228882159adbcda569d9a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1134}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85611, "scanner": "repobility-docker", "fingerprint": "84a5ecb8be108ff89ac2097f9417ea3542ee2e5e3a98ee221dedd4bee132a4bb", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "request-catcher-webhook", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|84a5ecb8be108ff89ac2097f9417ea3542ee2e5e3a98ee221dedd4bee132a4bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1134}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85610, "scanner": "repobility-docker", "fingerprint": "ddb0cbbe5470fbd286e32938f75412c9b556f8fb80ed579fe6c719986727101c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "maildev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ddb0cbbe5470fbd286e32938f75412c9b556f8fb80ed579fe6c719986727101c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1112}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85609, "scanner": "repobility-docker", "fingerprint": "0d2b5f55fa352caf3214fe8a354031db549f2a2f256ea87aafc80a0609e7e8d4", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "maildev", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|0d2b5f55fa352caf3214fe8a354031db549f2a2f256ea87aafc80a0609e7e8d4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1112}}}]}, {"ruleId": "DKC015", "level": "note", "message": {"text": "Database service has no healthcheck"}, "properties": {"repobilityId": 85608, "scanner": "repobility-docker", "fingerprint": "044e3c3ce91060a0533c159fb767b5c2233533df7838e2a20f1754cab2813276", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like service has no Compose healthcheck.", "evidence": {"rule_id": "DKC015", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|044e3c3ce91060a0533c159fb767b5c2233533df7838e2a20f1754cab2813276"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1069}}}]}, {"ruleId": "DKC017", "level": "note", "message": {"text": "Database password is wired through an environment variable placeholder"}, "properties": {"repobilityId": 85606, "scanner": "repobility-docker", "fingerprint": "6b1b78105b329a68fd99517e95fb2a072c9179e1146a01979ff629b5d7ea48b3", "category": "docker", "severity": "low", "confidence": 0.58, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Database image supports file-based secret variables, but only placeholder environment variables were found.", "evidence": {"rule_id": "DKC017", "scanner": "repobility-docker", "service": "mariadb", "variables": ["MYSQL_ROOT_PASSWORD", "MYSQL_PASSWORD"], "references": ["https://docs.docker.com/compose/how-tos/use-secrets/"], "correlation_key": "fp|6b1b78105b329a68fd99517e95fb2a072c9179e1146a01979ff629b5d7ea48b3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1051}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85585, "scanner": "repobility-docker", "fingerprint": "ea47e476c63b5d44e951813903cbb3d9703cbd703044658a15de7a6164f4d8cf", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite-realtime", "dependency": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|ea47e476c63b5d44e951813903cbb3d9703cbd703044658a15de7a6164f4d8cf", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 251}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85584, "scanner": "repobility-docker", "fingerprint": "ad6941e9b6fa542715d9475817b9ce9ca9b887f0658114ca23e2ea5e5e289c89", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite-realtime", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|ad6941e9b6fa542715d9475817b9ce9ca9b887f0658114ca23e2ea5e5e289c89"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 251}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85583, "scanner": "repobility-docker", "fingerprint": "c690ffbd2d6ae5b6c9a56426ab9830e70b6b1b653a016fd1e4df76f6017dece8", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite-realtime", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|c690ffbd2d6ae5b6c9a56426ab9830e70b6b1b653a016fd1e4df76f6017dece8"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 251}}}]}, {"ruleId": "DKC016", "level": "note", "message": {"text": "App service does not wait for database health"}, "properties": {"repobilityId": 85581, "scanner": "repobility-docker", "fingerprint": "f11ea9eae4d7176210d602c20de896bda59724940ea806e200aa67b9f36ababe", "category": "docker", "severity": "low", "confidence": 0.68, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "App depends on a database-like service without a health-gated dependency.", "evidence": {"rule_id": "DKC016", "scanner": "repobility-docker", "service": "appwrite", "dependency": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/startup-order/"], "correlation_key": "fp|f11ea9eae4d7176210d602c20de896bda59724940ea806e200aa67b9f36ababe", "dependency_has_healthcheck": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1228}}}]}, {"ruleId": "DKC010", "level": "note", "message": {"text": "Compose service lacks no-new-privileges hardening"}, "properties": {"repobilityId": 85580, "scanner": "repobility-docker", "fingerprint": "9a178ba1b4d2e39a4d8d50f6eb96f29ab9bd70f85817fbedf4bb1fc274e38f6c", "category": "docker", "severity": "low", "confidence": 0.62, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "App-like service has no security_opt no-new-privileges setting.", "evidence": {"rule_id": "DKC010", "scanner": "repobility-docker", "service": "appwrite", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|9a178ba1b4d2e39a4d8d50f6eb96f29ab9bd70f85817fbedf4bb1fc274e38f6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1228}}}]}, {"ruleId": "DKC006", "level": "note", "message": {"text": "Compose service does not declare a runtime user"}, "properties": {"repobilityId": 85578, "scanner": "repobility-docker", "fingerprint": "452c7a8f8fde60d49a341754f30ca6f3d064f270a85f593594a63077894e7a6c", "category": "docker", "severity": "low", "confidence": 0.56, "triageState": "open", "verdict": "needs_review", "isResolved": false, "reason": "Service has no user setting and Repobility could not prove the image runs non-root.", "evidence": {"rule_id": "DKC006", "scanner": "repobility-docker", "service": "appwrite", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|452c7a8f8fde60d49a341754f30ca6f3d064f270a85f593594a63077894e7a6c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1228}}}]}, {"ruleId": "DKR008", "level": "note", "message": {"text": ".dockerignore misses sensitive defaults"}, "properties": {"repobilityId": 85575, "scanner": "repobility-docker", "fingerprint": "aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "category": "docker", "severity": "low", "confidence": 0.72, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "A Docker build context should exclude secrets and repository metadata.", "evidence": {"rule_id": "DKR008", "scanner": "repobility-docker", "references": ["https://docs.docker.com/develop/develop-images/dockerfile_best-practices/"], "correlation_key": "fp|aea2ad92c68c4ee1f8432bb1ec25e7d45ac12c9e1790ac2d3fffe638b1acce12", "missing_patterns": [".env", "id_rsa", "*.pem", "*.key"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".dockerignore"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85572, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75bcb1e8a1b4a790474b3b548aa8321b323506366d6d9be38a2714e5c6b28fec", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/functions.ts", "duplicate_line": 1, "correlation_key": "fp|75bcb1e8a1b4a790474b3b548aa8321b323506366d6d9be38a2714e5c6b28fec"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/services/functions.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85571, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b36bd90a4e01b364fcfb645088ef27011e512901e35da3362370b071b6079e46", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/databases.ts", "duplicate_line": 1, "correlation_key": "fp|b36bd90a4e01b364fcfb645088ef27011e512901e35da3362370b071b6079e46"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/services/databases.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85570, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4f7e39a5ba64b068e6e02186a50d6dab6abc920f06cfbe8e238bd6ce21fb9c58", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/avatars.ts", "duplicate_line": 1, "correlation_key": "fp|4f7e39a5ba64b068e6e02186a50d6dab6abc920f06cfbe8e238bd6ce21fb9c58"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/services/avatars.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85569, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5962664fc2fcba8c3ecf7b47ad53a18f60e0cae2b8f88fdafd0f28d6149270dc", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/service.ts", "duplicate_line": 1, "correlation_key": "fp|5962664fc2fcba8c3ecf7b47ad53a18f60e0cae2b8f88fdafd0f28d6149270dc"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/service.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85568, "scanner": "repobility-ai-code-hygiene", "fingerprint": "12a1301857edf6e99c5713b67ad2870c73bee01955c43799bab757660be79cf1", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/role.ts", "duplicate_line": 1, "correlation_key": "fp|12a1301857edf6e99c5713b67ad2870c73bee01955c43799bab757660be79cf1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/role.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85567, "scanner": "repobility-ai-code-hygiene", "fingerprint": "b502954b127b75bd1bf08b7ee32663f054da84c6300a6e7a9b018fde595c1b03", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/query.ts", "duplicate_line": 1, "correlation_key": "fp|b502954b127b75bd1bf08b7ee32663f054da84c6300a6e7a9b018fde595c1b03"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/query.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85566, "scanner": "repobility-ai-code-hygiene", "fingerprint": "1ca95c7ef1a43d79b1ce0e17cdccf3f09dd61322949c150866df4c907ab21280", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/permission.ts", "duplicate_line": 1, "correlation_key": "fp|1ca95c7ef1a43d79b1ce0e17cdccf3f09dd61322949c150866df4c907ab21280"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/permission.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85565, "scanner": "repobility-ai-code-hygiene", "fingerprint": "99fc863ee5d8df1c23864b5f82a2ffa40238db66b61ac709bdc33a5ec85cad06", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/models.ts", "duplicate_line": 1, "correlation_key": "fp|99fc863ee5d8df1c23864b5f82a2ffa40238db66b61ac709bdc33a5ec85cad06"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/models.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85564, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ddabd226d5fbc656ad03567aa9734616269414ab3dca61154ffc4d412cd1689", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/index.ts", "duplicate_line": 1, "correlation_key": "fp|7ddabd226d5fbc656ad03567aa9734616269414ab3dca61154ffc4d412cd1689"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/index.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85563, "scanner": "repobility-ai-code-hygiene", "fingerprint": "d45917f095670875ef5408564986482a448cb41ca7f2a6be8eceed3427f40bbe", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/client.ts", "duplicate_line": 1, "correlation_key": "fp|d45917f095670875ef5408564986482a448cb41ca7f2a6be8eceed3427f40bbe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-web/client.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85562, "scanner": "repobility-ai-code-hygiene", "fingerprint": "584ba9cf85a23fde23cbee14cd277a6f3295a3504d9d1a0cc7e27e9e1b9ecaa0", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/functions.ts", "duplicate_line": 32, "correlation_key": "fp|584ba9cf85a23fde23cbee14cd277a6f3295a3504d9d1a0cc7e27e9e1b9ecaa0"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/services/teams.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85561, "scanner": "repobility-ai-code-hygiene", "fingerprint": "5a6adef8996c342d0b60ef889446b8259acc77d6a4b4d65fbacda79d34c7f782", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/teams.ts", "duplicate_line": 1, "correlation_key": "fp|5a6adef8996c342d0b60ef889446b8259acc77d6a4b4d65fbacda79d34c7f782"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/services/teams.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85560, "scanner": "repobility-ai-code-hygiene", "fingerprint": "90ce4654696094fabdf745f909ac63441551e2a03c5b23030cc709c7c81e0b2d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/functions.ts", "duplicate_line": 32, "correlation_key": "fp|90ce4654696094fabdf745f909ac63441551e2a03c5b23030cc709c7c81e0b2d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/services/storage.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85559, "scanner": "repobility-ai-code-hygiene", "fingerprint": "43b4f8642c5bfb6fa261c66aaab9a81364786edc3559c03539709d9a1342671f", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/storage.ts", "duplicate_line": 1, "correlation_key": "fp|43b4f8642c5bfb6fa261c66aaab9a81364786edc3559c03539709d9a1342671f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/services/storage.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85558, "scanner": "repobility-ai-code-hygiene", "fingerprint": "719298c88fb582b7e4a568cffb7bba80e19966dfa01e6e42ef6f41fef8927a73", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/locale.ts", "duplicate_line": 1, "correlation_key": "fp|719298c88fb582b7e4a568cffb7bba80e19966dfa01e6e42ef6f41fef8927a73"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/services/locale.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85557, "scanner": "repobility-ai-code-hygiene", "fingerprint": "4e9c12e823b3513895f2b3d993177ffbd46eca7d470f5fa0a756bba5ed3bea51", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/functions.ts", "duplicate_line": 1, "correlation_key": "fp|4e9c12e823b3513895f2b3d993177ffbd46eca7d470f5fa0a756bba5ed3bea51"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/services/functions.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85556, "scanner": "repobility-ai-code-hygiene", "fingerprint": "2373aee7e3616181c1df0511441c083d276fa9c470ccfe908169b564e895df82", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/databases.ts", "duplicate_line": 1, "correlation_key": "fp|2373aee7e3616181c1df0511441c083d276fa9c470ccfe908169b564e895df82"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/services/databases.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85555, "scanner": "repobility-ai-code-hygiene", "fingerprint": "63b85e26041ee50a91d02f482cebb641ab73910313945a1409b7f4fa7d3e3855", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/avatars.ts", "duplicate_line": 1, "correlation_key": "fp|63b85e26041ee50a91d02f482cebb641ab73910313945a1409b7f4fa7d3e3855"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/services/avatars.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85554, "scanner": "repobility-ai-code-hygiene", "fingerprint": "0667f38623bef87c9e7657d1f88658153f7700b189d21f15ac0d4a97a9daa91d", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/service.ts", "duplicate_line": 1, "correlation_key": "fp|0667f38623bef87c9e7657d1f88658153f7700b189d21f15ac0d4a97a9daa91d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/service.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85553, "scanner": "repobility-ai-code-hygiene", "fingerprint": "fe385b3934fe14a08a0fa96b01d8d9358b36c3b31f64720a164d70aa19d3393a", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/role.ts", "duplicate_line": 1, "correlation_key": "fp|fe385b3934fe14a08a0fa96b01d8d9358b36c3b31f64720a164d70aa19d3393a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/role.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85552, "scanner": "repobility-ai-code-hygiene", "fingerprint": "75fd1697a5d260c77bc87b2a185c9df0a1720a1b80727771c7beaf6a7bf7326b", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/query.ts", "duplicate_line": 1, "correlation_key": "fp|75fd1697a5d260c77bc87b2a185c9df0a1720a1b80727771c7beaf6a7bf7326b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/query.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85551, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ba32f395b1da29171387e3be9085181029ffaa65dcab61dd420904ba7919d087", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/permission.ts", "duplicate_line": 1, "correlation_key": "fp|ba32f395b1da29171387e3be9085181029ffaa65dcab61dd420904ba7919d087"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/permission.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85550, "scanner": "repobility-ai-code-hygiene", "fingerprint": "be5a97b3f0657556cd376a76333f4175c3d75420ca0d9c168e3d02b8e8deaae6", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/models.ts", "duplicate_line": 1, "correlation_key": "fp|be5a97b3f0657556cd376a76333f4175c3d75420ca0d9c168e3d02b8e8deaae6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/models.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85549, "scanner": "repobility-ai-code-hygiene", "fingerprint": "ac0023e5208cd107501ab8899e782171d88c4bd7d7b6f34c27fa0147a90a9f8e", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/index.ts", "duplicate_line": 1, "correlation_key": "fp|ac0023e5208cd107501ab8899e782171d88c4bd7d7b6f34c27fa0147a90a9f8e"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/index.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85548, "scanner": "repobility-ai-code-hygiene", "fingerprint": "83113a20c74bcaa0aeca089aa8c1e16e4af60e72750543e3121785c9d27b89ed", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/client.ts", "duplicate_line": 1, "correlation_key": "fp|83113a20c74bcaa0aeca089aa8c1e16e4af60e72750543e3121785c9d27b89ed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-project/client.ts"}, "region": {"startLine": 1}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85547, "scanner": "repobility-ai-code-hygiene", "fingerprint": "56beb330a7abba04ad64f1926d0be97306e908d8d149709880bd412ace290ec4", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/functions.ts", "duplicate_line": 32, "correlation_key": "fp|56beb330a7abba04ad64f1926d0be97306e908d8d149709880bd412ace290ec4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-console/services/teams.ts"}, "region": {"startLine": 12}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85546, "scanner": "repobility-ai-code-hygiene", "fingerprint": "e9d46f908e09a93f48979ae8cf200c94897a1f038875b2f83aea7660c57fc784", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "public/sdk-console/services/functions.ts", "duplicate_line": 32, "correlation_key": "fp|e9d46f908e09a93f48979ae8cf200c94897a1f038875b2f83aea7660c57fc784"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-console/services/storage.ts"}, "region": {"startLine": 15}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85545, "scanner": "repobility-ai-code-hygiene", "fingerprint": "7ffad4b4b01552044a602765b09af4073fad15d48fdcc17206efcb70b88a45b5", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/realtime.php", "duplicate_line": 202, "correlation_key": "fp|7ffad4b4b01552044a602765b09af4073fad15d48fdcc17206efcb70b88a45b5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/worker.php"}, "region": {"startLine": 416}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85544, "scanner": "repobility-ai-code-hygiene", "fingerprint": "da82d2de6c9a6809bbd6947ec2c82392ace39e5d923648ab67ab4c4b0be12432", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/cli.php", "duplicate_line": 105, "correlation_key": "fp|da82d2de6c9a6809bbd6947ec2c82392ace39e5d923648ab67ab4c4b0be12432"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/worker.php"}, "region": {"startLine": 85}}}]}, {"ruleId": "AIC003", "level": "note", "message": {"text": "Duplicated implementation block across source files"}, "properties": {"repobilityId": 85543, "scanner": "repobility-ai-code-hygiene", "fingerprint": "3f8a493d78dce06e382fd314754a9fdf86d37a0e77667088b0a660172290f13c", "category": "quality", "severity": "low", "confidence": 0.86, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "A normalized source-code window appears in two different non-test files.", "evidence": {"lines": 12, "rule_id": "AIC003", "scanner": "repobility-ai-code-hygiene", "references": ["https://jscpd.dev/"], "duplicate_file": "app/cli.php", "duplicate_line": 105, "correlation_key": "fp|3f8a493d78dce06e382fd314754a9fdf86d37a0e77667088b0a660172290f13c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/realtime.php"}, "region": {"startLine": 85}}}]}, {"ruleId": "SEC061", "level": "none", "message": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "properties": {"repobilityId": 85541, "scanner": "repobility-threat-engine", "fingerprint": "a9c25b0413c7c86c9ae41f84baa20f5497ea7091acaa66b150341664ecdb72e4", "category": "secret", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'example' detected on same line", "evidence": {"match": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE", "reason": "Safe pattern 'example' detected on same line", "rule_id": "SEC061", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|5|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Utopia/Response/Model/ResourceToken.php"}, "region": {"startLine": 51}}}]}, {"ruleId": "SEC061", "level": "none", "message": {"text": "[SEC061] JWT in source: Three-part JWT (likely signed token). Even if expired, may leak structure or claims. Ported from gitleaks jwt (MIT)."}, "properties": {"repobilityId": 85540, "scanner": "repobility-threat-engine", "fingerprint": "fc7a8ccda941130b657de762c4837526dc116c584de052e3dde7cd1772435eab", "category": "secret", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe pattern 'example' detected on same line", "evidence": {"match": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE", "reason": "Safe pattern 'example' detected on same line", "rule_id": "SEC061", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|token|1|token"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Utopia/Response/Model/JWT.php"}, "region": {"startLine": 16}}}]}, {"ruleId": "MINED053", "level": "none", "message": {"text": "[MINED053] Placeholder Default Username: foo@bar.com / john.doe@example.com / admin/admin / changeme \u2014 typical AI placeholder credentials."}, "properties": {"repobilityId": 85539, "scanner": "repobility-threat-engine", "fingerprint": "062ac9755ffbc6ffdb09ca5ff0f2252c4315a01951ccace7bab3f9537c5d32af", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "placeholder-default-username", "owasp": null, "cwe_ids": ["CWE-1392", "CWE-798"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348025+00:00", "triaged_in_corpus": 10, "observations_count": 456953, "ai_coder_pattern_id": 44}, "scanner": "repobility-threat-engine", "correlation_key": "fp|062ac9755ffbc6ffdb09ca5ff0f2252c4315a01951ccace7bab3f9537c5d32af"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Utopia/Response/Model/Document.php"}, "region": {"startLine": 109}}}]}, {"ruleId": "SEC134", "level": "none", "message": {"text": "[SEC134] AI scaffold leftover \u2014 Lorem ipsum / example.com / John Doe in code (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 85538, "scanner": "repobility-threat-engine", "fingerprint": "9b6b4a1d723ec7da5161443e73b9df392fc4547abeb1ff786b374dab66f0549d", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC134", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|9b6b4a1d723ec7da5161443e73b9df392fc4547abeb1ff786b374dab66f0549d"}}}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 85534, "scanner": "repobility-threat-engine", "fingerprint": "6fe41f5160ca1f0981586256207ddaefa77309b51b25bb1dcf9d7c657f6f87c6", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6fe41f5160ca1f0981586256207ddaefa77309b51b25bb1dcf9d7c657f6f87c6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Platform/Tasks/Upgrade.php"}, "region": {"startLine": 32}}}]}, {"ruleId": "MINED048", "level": "none", "message": {"text": "[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues."}, "properties": {"repobilityId": 85533, "scanner": "repobility-threat-engine", "fingerprint": "5753e766cc99ad884b85d343ed53ce2f990c8df9b3aba901ea39060ecb5a02bb", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "php-error-suppress", "owasp": null, "cwe_ids": ["CWE-755"], "languages": ["php"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348013+00:00", "triaged_in_corpus": 12, "observations_count": 849118, "ai_coder_pattern_id": 166}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5753e766cc99ad884b85d343ed53ce2f990c8df9b3aba901ea39060ecb5a02bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Platform/Tasks/Install.php"}, "region": {"startLine": 62}}}]}, {"ruleId": "MINED004", "level": "none", "message": {"text": "[MINED004] Weak Crypto (and 8 more): Same pattern found in 8 additional files. Review if needed."}, "properties": {"repobilityId": 85532, "scanner": "repobility-threat-engine", "fingerprint": "2eaab8f590234775531b0af5c0b5d781dabb04b06006b4e2a5ef6e77992ce9f7", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 8 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|2eaab8f590234775531b0af5c0b5d781dabb04b06006b4e2a5ef6e77992ce9f7", "aggregated_count": 8}}}, {"ruleId": "SEC029", "level": "none", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input (and 7 more): Same pattern found in 7 additional files. Review if needed."}, "properties": {"repobilityId": 85528, "scanner": "repobility-threat-engine", "fingerprint": "ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee", "category": "ssrf", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"reason": "Deduplicated summary only: 7 additional occurrences found. The top occurrences remain visible as actionable findings.", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 0.2, "correlation_key": "fp|ca5810ac6a2691831acbb4a51605672ba83c57f5592204a59181f6375036bfee"}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed."}, "properties": {"repobilityId": 85524, "scanner": "repobility-threat-engine", "fingerprint": "0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "category": "quality", "severity": "info", "confidence": 0.2, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Deduplicated summary only: 3 additional occurrences found. The top occurrences remain visible as actionable findings.", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "aggregated": true, "correlation_key": "fp|0c333dc88d2673beda07ea322592a5e2658418eeef4b48e34ddf9f62e680bdd2", "aggregated_count": 3}}}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 85523, "scanner": "repobility-threat-engine", "fingerprint": "27deaa6310a3edc05c90032d3868b7277e3e2a5d4d918fea9822fb6470f64543", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|27deaa6310a3edc05c90032d3868b7277e3e2a5d4d918fea9822fb6470f64543"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Platform/Modules/Console/Http/Resources/Get.php"}, "region": {"startLine": 123}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 85522, "scanner": "repobility-threat-engine", "fingerprint": "5d43cb9bb4057f5d903ee9a57f94d087a3f6904836e6e152cb2512c67a64f479", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|5d43cb9bb4057f5d903ee9a57f94d087a3f6904836e6e152cb2512c67a64f479"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/controllers/api/console.php"}, "region": {"startLine": 110}}}]}, {"ruleId": "MINED043", "level": "none", "message": {"text": "[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data."}, "properties": {"repobilityId": 85521, "scanner": "repobility-threat-engine", "fingerprint": "30fe9e9429909666b6ef170ee3feb127ed699d6812a45f2fd670c046fcfe8fe4", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "http-not-https", "owasp": "A02:2021", "cwe_ids": ["CWE-319"], "precision": 0.917, "promoted_at": "2026-05-18T14:01:32.347999+00:00", "triaged_in_corpus": 12, "observations_count": 4113831, "ai_coder_pattern_id": 15}, "scanner": "repobility-threat-engine", "correlation_key": "fp|30fe9e9429909666b6ef170ee3feb127ed699d6812a45f2fd670c046fcfe8fe4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/config/storage/logos.php"}, "region": {"startLine": 3}}}]}, {"ruleId": "MINED044", "level": "none", "message": {"text": "[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed."}, "properties": {"repobilityId": 85520, "scanner": "repobility-threat-engine", "fingerprint": "6fc2782bd4b612659b9f51ec6ecb063f08a7928bbb53a2fcb5185db42d986aa1", "category": "quality", "severity": "info", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "js-console-log-prod", "owasp": null, "cwe_ids": ["CWE-532"], "languages": ["javascript", "typescript", "tsx", "jsx"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.348003+00:00", "triaged_in_corpus": 10, "observations_count": 1940833, "ai_coder_pattern_id": 102}, "scanner": "repobility-threat-engine", "correlation_key": "fp|6fc2782bd4b612659b9f51ec6ecb063f08a7928bbb53a2fcb5185db42d986aa1"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/static-analysis/locale/index.js"}, "region": {"startLine": 32}}}]}, {"ruleId": "SEC020", "level": "none", "message": {"text": "[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for troubleshooting."}, "properties": {"repobilityId": 85519, "scanner": "repobility-threat-engine", "fingerprint": "f89430cdab970d9b9590eb9e5c451fac9fe859096c0227e9919ab32d0fc1f32c", "category": "credential_exposure", "severity": "info", "confidence": 0.1, "triageState": "false_positive", "verdict": "likely_fp", "isResolved": true, "reason": "Safe context pattern detected", "evidence": {"match": "console.error(`Fallback locale file ${config.fallbackLocale} not found`)", "reason": "Safe context pattern detected", "rule_id": "SEC020", "scanner": "repobility-threat-engine", "confidence": 0.1, "correlation_key": "secret|. token|3|console.error fallback locale file config.fallbacklocale not found"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/static-analysis/locale/index.js"}, "region": {"startLine": 38}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85694, "scanner": "repobility-supply-chain", "fingerprint": "41d2c59b539057fe59fb20b6ad738992fd0eb1ef0bf669ff6b0ca1310df5ebed", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|41d2c59b539057fe59fb20b6ad738992fd0eb1ef0bf669ff6b0ca1310df5ebed"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 195}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85693, "scanner": "repobility-supply-chain", "fingerprint": "d81c6dffaa2e324ff0a93f875f424b36b3261b639644f68a96d11f2df8badfcd", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d81c6dffaa2e324ff0a93f875f424b36b3261b639644f68a96d11f2df8badfcd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 192}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85692, "scanner": "repobility-supply-chain", "fingerprint": "ca2708ffd430fa3ab7c8c19bf09ddc412eccb4aebb4d4eb126f93ef74065a922", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ca2708ffd430fa3ab7c8c19bf09ddc412eccb4aebb4d4eb126f93ef74065a922"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 125}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85691, "scanner": "repobility-supply-chain", "fingerprint": "53a6c5dfe222a9245ea7a002c7341d6408f59622491debab657eaf512aad7c98", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|53a6c5dfe222a9245ea7a002c7341d6408f59622491debab657eaf512aad7c98"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 122}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85690, "scanner": "repobility-supply-chain", "fingerprint": "d0e9143a4e8fb7b727f2ea7ce92236eacdb13f75feaafde30e431e7570a5f52f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d0e9143a4e8fb7b727f2ea7ce92236eacdb13f75feaafde30e431e7570a5f52f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 89}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85689, "scanner": "repobility-supply-chain", "fingerprint": "0faa42e1f41bf4120ec5dadcb6c624769f3927bcf708def4ba5e4f1729ef7968", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|0faa42e1f41bf4120ec5dadcb6c624769f3927bcf708def4ba5e4f1729ef7968"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 86}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85688, "scanner": "repobility-supply-chain", "fingerprint": "86acfb0791ac37592f36c28e1f3d00e0bc8ab2b85f465ad5d8389a7115069364", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|86acfb0791ac37592f36c28e1f3d00e0bc8ab2b85f465ad5d8389a7115069364"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 74}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85687, "scanner": "repobility-supply-chain", "fingerprint": "27035f59af44432214cd41459713d44d2a38bcd7c4848128eeb4e5b74bcb5d6b", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|27035f59af44432214cd41459713d44d2a38bcd7c4848128eeb4e5b74bcb5d6b"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 51}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85686, "scanner": "repobility-supply-chain", "fingerprint": "298003948f07ba246359a4a11c0de19899a002e5023b5dff510f1dd10cc0842f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|298003948f07ba246359a4a11c0de19899a002e5023b5dff510f1dd10cc0842f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/tests.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85685, "scanner": "repobility-supply-chain", "fingerprint": "e44497360b434f1acbbc776c6c851e9e583a6614f99da246383b910afcf6c9f9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e44497360b434f1acbbc776c6c851e9e583a6614f99da246383b910afcf6c9f9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/linter.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85684, "scanner": "repobility-supply-chain", "fingerprint": "1b423f60d9c913605f463e3bf070bc982ade8044fd7aff736729b79d5b6f86bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|1b423f60d9c913605f463e3bf070bc982ade8044fd7aff736729b79d5b6f86bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/static-analysis.yml"}, "region": {"startLine": 11}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85683, "scanner": "repobility-supply-chain", "fingerprint": "3109604d9a29f2bbe101d33092d4b1112450fb02e26e2b479fcd846f39f5acdb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3109604d9a29f2bbe101d33092d4b1112450fb02e26e2b479fcd846f39f5acdb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cleanup-cache.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/ai-moderator` pinned to mutable ref `@v1`: `uses: github/ai-moderator@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85682, "scanner": "repobility-supply-chain", "fingerprint": "6dc486ec83e845dce20e9c9f65fb15d77d64f6bd9442351449a68174d1e0a32f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|6dc486ec83e845dce20e9c9f65fb15d77d64f6bd9442351449a68174d1e0a32f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ai-moderator.yml"}, "region": {"startLine": 30}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v2`: `uses: github/codeql-action/analyze@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85681, "scanner": "repobility-supply-chain", "fingerprint": "c0bb5d185927e4a67567e826b323e3b23210b21fb1976ee21fc61886b5827f97", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c0bb5d185927e4a67567e826b323e3b23210b21fb1976ee21fc61886b5827f97"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 71}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v2`: `uses: github/codeql-action/autobuild@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85680, "scanner": "repobility-supply-chain", "fingerprint": "df6e777d79bbea499165f53881d999a81e776f592d3a4b3263c6d4918daa33bb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|df6e777d79bbea499165f53881d999a81e776f592d3a4b3263c6d4918daa33bb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 57}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v2`: `uses: github/codeql-action/init@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85679, "scanner": "repobility-supply-chain", "fingerprint": "80dfa55348457537d93ba90b507e8bb0f646888835eca18cd821c2f39706a848", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|80dfa55348457537d93ba90b507e8bb0f646888835eca18cd821c2f39706a848"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 50}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85678, "scanner": "repobility-supply-chain", "fingerprint": "5c8b71a8a8bc62f6ef2ea9066b9458949e9d4348ced2fbe89360614fbbd47c45", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5c8b71a8a8bc62f6ef2ea9066b9458949e9d4348ced2fbe89360614fbbd47c45"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/codeql-analysis.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/create-or-update-comment` pinned to mutable ref `@v3`: `uses: peter-evans/create-or-update-comment@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85677, "scanner": "repobility-supply-chain", "fingerprint": "e5f72a299c7c94fbaca0e2f7f37c913db8018321c20ce03864203a3243820209", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e5f72a299c7c94fbaca0e2f7f37c913db8018321c20ce03864203a3243820209"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-scan.yml"}, "region": {"startLine": 100}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `peter-evans/find-comment` pinned to mutable ref `@v3`: `uses: peter-evans/find-comment@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85676, "scanner": "repobility-supply-chain", "fingerprint": "84f209f46468635ff1c0c2a1d9edc18e30ea01928d22f69aed0a249814e31677", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|84f209f46468635ff1c0c2a1d9edc18e30ea01928d22f69aed0a249814e31677"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-scan.yml"}, "region": {"startLine": 92}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85675, "scanner": "repobility-supply-chain", "fingerprint": "333a5f3184611421c28aa2d87e090b16447bc2c0e254905c63aef6d3136150d3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|333a5f3184611421c28aa2d87e090b16447bc2c0e254905c63aef6d3136150d3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-scan.yml"}, "region": {"startLine": 47}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aquasecurity/trivy-action` pinned to mutable ref `@0.20.0`: `uses: aquasecurity/trivy-action@0.20.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85674, "scanner": "repobility-supply-chain", "fingerprint": "e03b7ab153858b51510c62eec9f4767a9866c5555d220cc9767411da1fab5e4a", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e03b7ab153858b51510c62eec9f4767a9866c5555d220cc9767411da1fab5e4a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-scan.yml"}, "region": {"startLine": 37}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `aquasecurity/trivy-action` pinned to mutable ref `@0.20.0`: `uses: aquasecurity/trivy-action@0.20.0` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85673, "scanner": "repobility-supply-chain", "fingerprint": "81b5f5bd90c32c6a75b4abf033328b99a0fd817f1adface8f406cf4d930f46f3", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|81b5f5bd90c32c6a75b4abf033328b99a0fd817f1adface8f406cf4d930f46f3"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-scan.yml"}, "region": {"startLine": 29}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85672, "scanner": "repobility-supply-chain", "fingerprint": "e9a51c0ec43a8a399adfbe1bc66927f0d75f23efb9365308e19754d81b5d75d9", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|e9a51c0ec43a8a399adfbe1bc66927f0d75f23efb9365308e19754d81b5d75d9"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/pr-scan.yml"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85671, "scanner": "repobility-supply-chain", "fingerprint": "56a3d3588e780ea4441b7c7f5feda9fcffe951c6898ca24d62dbfa72a0c1f5fe", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|56a3d3588e780ea4441b7c7f5feda9fcffe951c6898ca24d62dbfa72a0c1f5fe"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-preview.yml"}, "region": {"startLine": 44}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"repobilityId": 85670, "scanner": "repobility-supply-chain", "fingerprint": "2e31cccb809b3024d625c04116ddda354a317f325a599de5b202cfc40edf0260", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2e31cccb809b3024d625c04116ddda354a317f325a599de5b202cfc40edf0260"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/sdk-preview.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `appwrite/base:0.10.6` not pinned by digest: `FROM appwrite/base:0.10.6` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85669, "scanner": "repobility-supply-chain", "fingerprint": "5e10fbc1999cac64547a34318b6670e70c6d7362b9fe6f998f620cecbac56feb", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|5e10fbc1999cac64547a34318b6670e70c6d7362b9fe6f998f620cecbac56feb"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 14}}}]}, {"ruleId": "MINED118", "level": "error", "message": {"text": "[MINED118] Dockerfile FROM `composer:2.0` not pinned by digest: `FROM composer:2.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity."}, "properties": {"repobilityId": 85668, "scanner": "repobility-supply-chain", "fingerprint": "b510ada6b115cbd73345c1749c300dca5f31dba1491a3b3449b2aa417ed9c428", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "docker-from-unpinned", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["dockerfile"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|b510ada6b115cbd73345c1749c300dca5f31dba1491a3b3449b2aa417ed9c428"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "Dockerfile"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 85662, "scanner": "repobility-docker", "fingerprint": "d306f284d40342f7dbeac7dd8265a04e209169f9fa39ca351bb9c29d1fa4bd5f", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|d306f284d40342f7dbeac7dd8265a04e209169f9fa39ca351bb9c29d1fa4bd5f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 306}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 85620, "scanner": "repobility-docker", "fingerprint": "96ea19da386a79f6e36d32d39693f610ff5e2f2b9325064abab2b74d8795e5a6", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "8081:5540", "target": "5540", "host_ip": "", "published": "8081"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis-insight", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|96ea19da386a79f6e36d32d39693f610ff5e2f2b9325064abab2b74d8795e5a6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1185}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 85607, "scanner": "repobility-docker", "fingerprint": "0094a34914b7c28e1b62dbe5ec8c893b3c69783891fde41dc4db4ea9a4a4efdd", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "6379:6379", "target": "6379", "host_ip": "", "published": "6379"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "redis", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|0094a34914b7c28e1b62dbe5ec8c893b3c69783891fde41dc4db4ea9a4a4efdd"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1069}}}]}, {"ruleId": "DKC011", "level": "error", "message": {"text": "Database service publishes a host port"}, "properties": {"repobilityId": 85604, "scanner": "repobility-docker", "fingerprint": "6304f4f8b21abbdc3ae028c85746ae45bf81c1b3028ed23d2d751fec3fcc7552", "category": "docker", "severity": "high", "confidence": 0.84, "triageState": "open", "verdict": "likely", "isResolved": false, "reason": "Database-like image publishes host ports without a loopback-only bind.", "evidence": {"ports": [{"raw": "3306:3306", "target": "3306", "host_ip": "", "published": "3306"}], "rule_id": "DKC011", "scanner": "repobility-docker", "service": "mariadb", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "exposure_scope": "public", "correlation_key": "fp|6304f4f8b21abbdc3ae028c85746ae45bf81c1b3028ed23d2d751fec3fcc7552"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1051}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 85531, "scanner": "repobility-threat-engine", "fingerprint": "75f1b2757c5849459e6a9c59d1552d6efd307fb8a0b2951c2c36140de9c762cf", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|75f1b2757c5849459e6a9c59d1552d6efd307fb8a0b2951c2c36140de9c762cf"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Platform/Modules/Proxy/Http/Rules/Redirect/Create.php"}, "region": {"startLine": 98}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 85530, "scanner": "repobility-threat-engine", "fingerprint": "f6f9ff218a46447244a6ad77e6d631951e8f9bc6394290f6bd98614731026979", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|f6f9ff218a46447244a6ad77e6d631951e8f9bc6394290f6bd98614731026979"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Platform/Modules/Proxy/Http/Rules/Function/Create.php"}, "region": {"startLine": 93}}}]}, {"ruleId": "MINED004", "level": "error", "message": {"text": "[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums)."}, "properties": {"repobilityId": 85529, "scanner": "repobility-threat-engine", "fingerprint": "cd35cca983e9d9c9d89039f070b676275673f5ebd0de1a7d3e7843618c5e5a85", "category": "quality", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"mined": true, "mining": {"slug": "weak-crypto", "owasp": "A02:2021", "cwe_ids": ["CWE-327"], "precision": 1.0, "promoted_at": "2026-05-18T14:01:32.347906+00:00", "triaged_in_corpus": 15, "observations_count": 303181, "ai_coder_pattern_id": 13}, "scanner": "repobility-threat-engine", "correlation_key": "fp|cd35cca983e9d9c9d89039f070b676275673f5ebd0de1a7d3e7843618c5e5a85"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "src/Appwrite/Platform/Modules/Proxy/Http/Rules/API/Create.php"}, "region": {"startLine": 81}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85527, "scanner": "repobility-threat-engine", "fingerprint": "722ac8d675b1b9cea0318ce451b679c855161bee44760f21f0621ab1cf20ba27", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|722ac8d675b1b9cea0318ce451b679c855161bee44760f21f0621ab1cf20ba27"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-console/services/locale.ts"}, "region": {"startLine": 30}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85526, "scanner": "repobility-threat-engine", "fingerprint": "7e871313fd57fbf97d37287d1022de2e0bd8b1cea89390ee38749fd65d97829a", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|7e871313fd57fbf97d37287d1022de2e0bd8b1cea89390ee38749fd65d97829a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-console/services/functions.ts"}, "region": {"startLine": 39}}}]}, {"ruleId": "SEC029", "level": "error", "message": {"text": "[SEC029] Server-Side Request Forgery (SSRF) \u2014 outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches."}, "properties": {"repobilityId": 85525, "scanner": "repobility-threat-engine", "fingerprint": "a4cf79037de6972e88853b3b8f16521a51c38ad0f3d7494088ffa12efff1f762", "category": "ssrf", "severity": "high", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Pattern matched with no mitigating context found", "evidence": {"match": "URL(t", "reason": "Pattern matched with no mitigating context found", "rule_id": "SEC029", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|a4cf79037de6972e88853b3b8f16521a51c38ad0f3d7494088ffa12efff1f762"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "public/sdk-console/services/databases.ts"}, "region": {"startLine": 43}}}]}, {"ruleId": "CORE_NO_TESTS", "level": "error", "message": {"text": "No test files found"}, "properties": {"repobilityId": 85517, "scanner": "repobility-core", "fingerprint": "0200e9918bc2a7bf9c116d0907e50ac3df640c758b93852cf1890ec6e14d870d", "category": "testing", "severity": "high", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_NO_TESTS", "scanner": "repobility-core", "correlation_key": "repo|testing|core_no_tests"}}}, {"ruleId": "MINED123", "level": "error", "message": {"text": "[MINED123] Trojan Source bidi character (RLM) in source: Line 54 contains a Unicode bidirectional override character (U+200F RLM). This is the 'Trojan Source' attack (CVE-2021-42574): the character makes the compiler / interpreter see different code than the human reviewer."}, "properties": {"repobilityId": 85695, "scanner": "repobility-supply-chain", "fingerprint": "d45efd1c7d257fac8c1fe7957431aab8d311ad2ed8a2347baff9251c703514e3", "category": "dependency", "severity": "critical", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "Collapsed 14 duplicate scanner signal(s) for the same underlying issue.", "evidence": {"mined": true, "mining": {"slug": "trojan-source-bidi", "owasp": null, "cwe_ids": ["CWE-1007"], "languages": ["any"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "vuln||CVE-2021-42574|token", "duplicate_count": 14, "duplicate_rule_ids": ["MINED123"], "duplicate_scanners": ["repobility-supply-chain"], "duplicate_fingerprints": ["0deda2cc73a594a347d94078442bffe5b6e65ab7eea8467bf7ec4241b2fa8dce", "1755d9d42dfcac4a7316ae524c8f37c7efb888b046631bbe43d4900fa471d632", "1ad0044aac7215688154e40c5e5b9e043008992d2ab563a54b1b895c05b6fc60", "1ef4280a5496dabaa4373f3f928079ebb1fb8f08a7cfb4b979022286000b0084", "25efdc803fd86044bd33c94e995fab8820264c11e291ec8fffd50bba4140e6ca", "2d1dd2857b611f1c809eb6bdd4eea55e11b6081198b42097e9180850ca58d0db", "61820092c48e9c4cf768be11c4b02313981c86773fe4c960b9a03fd795b73a65", "6972ef0712c3c610b98ef6d2664ffd539a5c1c7a7cb3ebfdbcef7a0c52ed9ff2", "6ab8d1f59db2a175cf7a70a43a3eefe85bae93b844a0e67a624eaf9afae1d03a", "73f1d925e73961a330a5286854f1fd3efca7bd72072a1a9936ebaee78edcc6ee", "7fad8ee69e7f268e1b5c7f8183bd7b6af2cd41ef75ed4cb0b6ba17c5129f9b9b", "86460aa1df1f832b6ea059cf2ac9b90e75a2178daa1156cf7ae8d394c12b9c3d"]}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "app/config/locale/currencies.php"}, "region": {"startLine": 54}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 85649, "scanner": "repobility-docker", "fingerprint": "06e09963377a07a4a20527b71981d73846f54077d17ab92042adef6ccda686f6", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "appwrite-worker-functions", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|06e09963377a07a4a20527b71981d73846f54077d17ab92042adef6ccda686f6"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 214}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 85627, "scanner": "repobility-docker", "fingerprint": "95b7c9915d32a7d159e18dddc5895f91f53918ade39ac0edbfdb6dddf72bf1ad", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "appwrite", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|95b7c9915d32a7d159e18dddc5895f91f53918ade39ac0edbfdb6dddf72bf1ad"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 354}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 85625, "scanner": "repobility-docker", "fingerprint": "b52848c9680676646cb3b3f200cc1eb51a7ab12a3e39090be3650d73d19e207d", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "traefik", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|b52848c9680676646cb3b3f200cc1eb51a7ab12a3e39090be3650d73d19e207d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "tests/resources/docker/docker-compose.yml"}, "region": {"startLine": 1}}}]}, {"ruleId": "DKC007", "level": "error", "message": {"text": "Compose service contains a literal secret environment value"}, "properties": {"repobilityId": 85617, "scanner": "repobility-docker", "fingerprint": "ac5efde21fd62c79651444e650fe7f519aa3a865abede39d058fc67907963d09", "category": "docker", "severity": "critical", "confidence": 0.96, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Environment variable name is secret-like and value is a committed literal.", "evidence": {"rule_id": "DKC007", "scanner": "repobility-docker", "service": "adminer", "variable": "ADMINER_DEFAULT_PASSWORD", "references": ["https://docs.docker.com/compose/how-tos/environment-variables/best-practices/", "https://docs.docker.com/reference/compose-file/secrets/"], "path_context": "runtime", "correlation_key": "fp|ac5efde21fd62c79651444e650fe7f519aa3a865abede39d058fc67907963d09", "compose_secrets_declared": false}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1152}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 85603, "scanner": "repobility-docker", "fingerprint": "665b4ee39366dec9569c661805e89561b6a03a5a6918ebaef0e7a200c9fd0870", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "openruntimes-executor", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|665b4ee39366dec9569c661805e89561b6a03a5a6918ebaef0e7a200c9fd0870"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 977}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 85579, "scanner": "repobility-docker", "fingerprint": "1ede7fc276d2242b6ca10a3e750fe2401ff6644d9e097e70387406e6a708a83a", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "appwrite", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|1ede7fc276d2242b6ca10a3e750fe2401ff6644d9e097e70387406e6a708a83a"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 1228}}}]}, {"ruleId": "DKC008", "level": "error", "message": {"text": "Compose service mounts the Docker socket"}, "properties": {"repobilityId": 85576, "scanner": "repobility-docker", "fingerprint": "65342001e38c8fec356dc2dc6110301bb8e6d144b4eca6550e08691b0c41c9ae", "category": "docker", "severity": "critical", "confidence": 0.98, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": "Volume mount references /var/run/docker.sock.", "evidence": {"rule_id": "DKC008", "scanner": "repobility-docker", "service": "traefik", "references": ["https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"], "correlation_key": "fp|65342001e38c8fec356dc2dc6110301bb8e6d144b4eca6550e08691b0c41c9ae"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": "docker-compose.yml"}, "region": {"startLine": 13}}}]}, {"ruleId": "SEC009", "level": "error", "message": {"text": "[SEC009] .env File Committed: .env file with secrets committed to repository."}, "properties": {"repobilityId": 85542, "scanner": "repobility-threat-engine", "fingerprint": "5d2991e6b2f00e4b61d743d1035228f1df1aa036f7a4897f3fc085baaab5fc55", "category": "credential_exposure", "severity": "critical", "confidence": 1.0, "triageState": "open", "verdict": "confirmed", "isResolved": false, "reason": ".env file exists in repository root", "evidence": {"reason": ".env file exists in repository root", "rule_id": "SEC009", "scanner": "repobility-threat-engine", "confidence": 1.0, "correlation_key": "fp|5d2991e6b2f00e4b61d743d1035228f1df1aa036f7a4897f3fc085baaab5fc55"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env"}, "region": {"startLine": 1}}}]}, {"ruleId": "CORE_ENV_FILE", "level": "error", "message": {"text": ".env file committed to repository"}, "properties": {"repobilityId": 85516, "scanner": "repobility-core", "fingerprint": "23cf83b5b9ef2fbf14bfabb5febcb625a2b459499bad568b550a990d3c7e1f81", "category": "security", "severity": "critical", "confidence": null, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"rule_id": "CORE_ENV_FILE", "scanner": "repobility-core", "correlation_key": "fp|23cf83b5b9ef2fbf14bfabb5febcb625a2b459499bad568b550a990d3c7e1f81"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".env"}, "region": {"startLine": 1}}}]}]}]}